Mozilla working to defend web against XSS attacks
Firefox's makers have been working on new tech to possibly shut down the threat of legitimate websites corrupted by malicious code.

Mozilla is working on a new technology that it hopes will remove the threat of Cross-Site Scripting (XSS) attacks, which have plagued websites for several years.
XSS vulnerabilities allow malicious code to be injected into legitimate websites, which users are persuaded to click on leading to an attack such as a drive-by download.
This is made possible because currently all the content received from a web server's response is treated the same legitimate or malicious by the browser that requests it.
However, with Mozilla's new technology snappily named Content Security Policy' (CSP), the makers of Firefox aim to stop XSS by telling the browser which content is legitimate. The browser can then disregard the malicious code.
Brandon Sterne, security programme manager for Mozilla, said on the Mozilla security blog that the new model it was suggesting would be very different to the current unrestricted model for the web.
But Sterne said that CSP could be implemented in phases, that complex sites could be modified to support it, and that it could drive a stake through the heart of XSS.
"XSS vulnerabilities have real value to attackers and are shared rapidly across the web once discovered. Sites can breathe a little easier knowing their users are protected, even if a XSS bug slips through," he said.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Because CSP can be configured to notify the protected site when an attack is blocked, CSP will even benefit users of older browsers, by helping sites and plug vulnerabilities quickly."
Sterne said that CSP was a collaboration of many individuals and had input from different websites, browser vendors and web application security experts.
Mozilla has already begun implementation of the CSP specification.
As recently as May, Google had to fix an XSS vulnerability that could have left its services open to attack.
-
LaunchDarkly to "double down" on observability with Highlight acquisition
News Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
By Daniel Todd
-
Samsung Galaxy Tab S10 FE review
Reviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
By Stuart Andrews
-
Mozilla to cut 250 jobs as part of major coronavirus restructure
News The reorganisation has been made so the company can become faster, more innovative, and find more revenue streams
By Keumars Afifi-Sabet
-
Mozilla re-hires veteran Mitchell Baker to serve as CEO
News The interim chair and CEO formally rejoins the organisation after Chris Beard stepped down in December 2019
By Keumars Afifi-Sabet
-
Mozilla fixes two Firefox zero-days being actively exploited
News Critical vulnerabilities allow attackers to execute arbitrary code or trigger crashes
By Carly Page
-
Android gets new security sandboxing features
News Google brings mobile site isolation to Chrome to protect against ‘Spectre-like’ attacks
By Adam Shepherd
-
Firefox angers users with alarming Mr Robot plugin
News The opt-out extension led many users to believe they had been hacked
By Dale Walker
-
Mozilla doubles the speed of its browser with Firefox Quantum
News The browser is faster and makes use of your system resources better
By Clare Hopping
-
Mozilla’s rebrand confuses web browsers
News Chrome, Safari and Firefox struggle with moz://a
By Joe Curtis
-
Firefox ditches 404s in favour of archived pages
News Mozilla's browser is trialling showing older versions of a webpage instead of an error message
By Nicole Kobie