Mozilla’s Anti-XSS Tool for Firefox 4 Secures Twitter

Twitter is deploying one of the security features Mozilla built into the new Firefox 4 Web browser, in an ongoing quest to improve security for its users.

Mozilla launched Firefox 4 on March 22 with a number of security features, including features to thwart cross-site scripting (XXS) attacks. Twitter announced on the same day that it had rolled out Mozilla’s Content Security Policy standard on to the mobile version of its site to test “a potentially powerful anti-XSS tool in a controlled setting”, wrote Mark Percival, Twitter’s mobile engineer, on the Twitter engineering blog.

CSP is intended to stop XSS attacks within the browser and prevent the execution of malicious code as pages are being loaded. In a typical XSS attack, attackers inject arbitrary JavaScript code into a page so that an end user accessing the page ends up executing the code. When a Website enables CSP and the Web browser understands CSP, then the browser knows to ignore inline JavaScript, Jonathan Nightingale, Mozilla’s director of Firefox development, told eWEEK.

Inline JavaScript Compromise

Twitter enabled CSP by including the policy in the returned site headers, “X-Content-Security-Policy”, according to Percival. CSP also allows site administrators to include a separate universal resource identifier where the browser could send JavaScript Object Notification (JSON) reports of any violations, potentially alerting them to XSS attempts on the site, Percival said.

While activating CSP on Twitter was “easy”, there is some work involved to get it to work correctly, Percival said. In Twitter’s case, all inline JavaScript was removed from the mobile site, according to Percival. While inline JavaScript should generally not be included with HTML, it is “sometimes necessary” to speed up load times, he said.

Twitter disabled all inline JavaScript from its mobile page and added external assets such as profile images and style sheets to a whitelist so that the browser could load them without triggering a CSP violation. “However, for many sites it is not going to be as simple as flipping a switch,” Percival said.

Most sites will require some work, either on the site or to alter third-party libraries that use JavaScript, Percival said. During initial testing, Twitter found a “surprising” number of Internet service providers who were inserting JavaScript or altering image tags to point to their own caching servers, according to Percival. Twitter now mandates SSL for Firefox 4 users accessing the mobile page, so that the ISPs can no longer alter content, he said.

There were also several “common” Firefox extensions that inserted JavaScript on page load, according to Percival.

Twitter expects to implement CSP across the rest of the site, he said. This move comes less than a week after Twitter announced it will give users the option to use the HTTPS protocol to secure their activity on the Website.

Mozilla packaged a number of new security features other than CSP in Firefox 4, including a “Do Not Track” feature that allows users to “opt out” out of behavioural tracking by advertisers, according to Nightingale. Firefox 4 also forces Websites to maintain HTTPS connections with users the entire time they are on the site and locally encrypt bookmark and history to keep the information private.

A new “Instant Web Site ID” feature offers one-click access to a site’s identity information, including details like how many times a user has visited it, an improved Private Browsing mode and a “Forget This Site” feature that removes any trace of having visited the site.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

15 mins ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

5 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

20 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

22 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

24 hours ago