Search This Blog

Thursday, August 23, 2007

Mozilla Aims at Cross-Site Scripting With FF3

Web 2.0 has enabled a broad array of Websites to be more engaging for
users. It has also enabled a new and now very common attack, namely
cross site scripting, commonly referred to as XSS attacks. Mozilla is
aiming to put an end to XSS attacks in its upcoming Firefox 3 browser.
The Alpha 7 development release includes support for a new W3C working
draft specification that is intended is secure XML over HTTP requests
(often referred to as XHR) which are often the culprit when it comes
to XSS attacks. XHR is the backbone of Web 2.0 enabling a more dynamic
web experience with remote data. The W3C working draft is officially
titled, "Enabling Read Access for Web Resources." It is intended to
define a mechanism by which Web developers can safely provide
cross-site Web resource access. The specification will let developers
define via an HTTP header or an XML instruction which sites are allowed
read-access and which are not. A typical XSS attack vector is one in
which a malicious Web site reads the credentials from another that a
user has visited. The new specification could well serve to limit that
type of attack though it is still incumbent upon Web developers to be
careful with their trusted data. The W3C working draft warns that
"user agents which implement this specification should take care not
to expose other trusted data (cookies, HTTP header data) inappropriately."
In addition to the new XSS support in Firefox 3 Alpha 7, Mozilla
developers have also fixed some bugs and implementation errors that
cropped up in the Alpha 6 release, which came out in early July. The
latest release isn't just about bug fixes and new feature support.
Mozilla developers have actually dropped support for the SOAP Web
services messaging protocol, according to the official Alpha 7 release
notes. Firefox 3 is Mozilla's next generation browser and will be the
successor to the current 2.x browser. The open source group has been
working on Firefox 3 (code name Gran Paradiso) since October of 2006
when the first Firefox 3 alpha appeared.

Further Information

No comments: