Content Security Policy (CSP) is a draft specification from W3C, and was recently implemented in the latest version of Firefox. Basically, CSP is a way for a website owner to specify how a browser should treat content that it receives from his site. For example, it’s possible to list which domains you trust to serve JavaScript. Any JavaScript received from a domain not on your list will not be executed by the browser. This feature alone is a great security improvement, and there are many other attacks that can be entirely or partially mitigated using CSP.
Another beneficial side effect of adopting CSP is that it will force organizations to take stock of everything that their site is doing, and perhaps even make some smart some design changes in the process (like removing and disabling all in-line JavaScript). For developers, Mozilla has some great references, like this overview and this detailed list of policy directives.
I look forward to seeing CSP adopted more widely and supported by every major browser. If anyone has some practical experience with deploying CSP, please share some of your lessons learned.
Related posts:
