Cross Site Scripting (XSS) is today - by far - the most common attack vector when trying to compromise a websites. XSS have always existed but has had its prime time in the recent years due to the exponential increase in user generated content on web pages. Today almost every single webpage gives random users access to post content like comments, status updates or submit other kinds of information.

In theory the problems the problem is easy to avoid - just sanitize your users input. However, in reality this has turned out to be almost impossible, and every single large website out there (correct me if I'm wrong) has in the recent years been a victim of XSS. The list includes YouTube, LinkedIn, Twitter, Facebook and so on.

By this point I think it's clear that the responsibility for protecting against XSS can not be placed on the website alone. Some may argue it should, but if we want to secure the web this is simply not possible. So finally the Mozilla foundation has answered this by pushing a new HTTP header called X-Content-Security-Policy (CSP).

This header allows webmasters to define a policy for a webpage and thereby tell the browser which permissions his webpage should have.

For instance, it is possible to only allow content from the sites itself, thus avoiding an attacker to send sensitive data to his own server. This is simply done by adding a new HTTP header:

X-Content-Security-Policy: allow 'self'

This tells the browser you only want to allow to fetch data from the current domain. Furthermore, when CSP is in effect the browser also disables a wide range of different ways of calling JavaScript inline - something which is still possible today but almost exclusively used for attacking websites.

However, websites today does actually often include benign code from other server. Code like twitterstream, like buttons etc. All which will be blocked by adding the header above. Fortunately CPS makes it possible to completely control which servers you want to allow which kind of content from. This means that not only can you forbid content from all external servers excluding Google, Facebook and Twitter, but you can forbid content from your own server unless it's accessed by HTTPS, and if you want you can even use CPS to disable JavaScript completely on your site.

This is in many way the holy grail web developers have been looking for. You can read more about it on mozilla official draft

But wait - there's more!

Not only does the specifications for CSP constrain the browser, it also allows the browser to report back when the page tries to violate its permissions. This is not just extremely useful for debugging that you permission are set correctly, but also helps you catch potential attacks on your websites and thus fix the problems more quickly.

What is lacking?

Content Security Policy has existed in Firefox since version 4. Unfortunately, only Firefox supports it at the moment. However, chrome is finally getting implementing it as well which is great news! However, niether Internet Explorer, Safari or Opera has given any hits about whether they are working on implementing this.

The Bigger Problem

Furthermore there is the problem of usability. While I would call this the hole grail in the fight against XSS for the big guys as LinkedIn it is unlikely that we will see it widespread any time soon. Even of the people who are technically savvy enough to buy a webhost and set up their own WordPress blog most of them do not know anything about security, and have no idea of how (or why) to setup their HTTP headers in order for this to work. And unfortunately this is not something which is possible to generically push into any platform/framework since it requires to be fine tuned for every website. Simply adding a default CSP header to WordPress would stop any like button and google analytics code from working, causing major problems for a lot of less savvy webmasters out there. Non the less, when CSP becomes default in more browsers (and I do not doubt it will) all the major players will gain a great new tool in the fight against XSS (and similar attacks) and maybe even platforms like WordPress will implements a user friendly interface for it.