Last Updated: 2011-03-23 10:28:43 UTC
by Johannes Ullrich (Version: 1)
Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server.
These attacks, Cross Site Scripting (XSS), redirects to HTTP pages from HTTPS and Clickjacking use vulnerable web applications more as a mirror to bounce attacks into the browser. The browser can provide meaningful protection against these attacks, unlike for more server centric attacks like sql injection, for which the attacker is in full control of the client.
XSS and Content Security Policy (CSP)
We have seen a couple of prior attempts to assist browsers to detect XSS attacks. All of these attempts, (the NoScript plugin or the IE 8 "X-XSS-Protection:" header had the same problem: They had no idea what kind of script to expect on a particular page. In some cases, they could prevent reflected XSS just by comparing strings sent by the browser to strings being returned by the server. Neither NoSpring nor IE 8 did a sufficient job in preventing XSS and many users or web developers turned it off due to high false positive rates.
CSP takes a different approach: It uses server headers to tell the browser what kind of content to expect. That way, the browser can make a more intelligent decision as to how to block content that does not match the policy communicated by the server. I will probably discuss this feature in more detail in the future, but if you are interested, last months Monthly Threat Update webcast covered the main points. 
One CSP feature I would like to point out: The server may communicate as part of its policy a "Report-URI" which the browser can use to report any violations of the CSP. This is not only great to detect attacks, but even more so to detect legitimate features on your site that are not sufficiently covered by your policy.
If you would like to experiment: Just add "?csp=Y" to any isc.sans.edu URL. It will enable our test CSP. Right now, it is not very restrictive as I am still refining some of our content. We do also have a little CSP test page at http://isc.sans.edu/tools/csptest.html which highlights some of the features.
Another neat feature to tell the browser more about how to connect to a given site. If the "Strict-Transport-Security" header is set, the browser will refuse any attempt to connect to the site via HTTP. The threat model here is that an attacker will inject a redirect to the HTTP version of the site while the user is browser a non HTTPS site (any site, not just the target). This could lead to the disclosure of confidential information like authentication cookies. Sure. This attack can be mitigated in part by setting the "secure" option of your session cookie. But it may not be so easy if the injection of the redirect happens during the login process.
This header has two parameters: A "max-age" indicating for how long this rule should be obeyed and a "includeSubdomain" parameter that will extend the rule to all subdomains. This header should be used on all HTTPS only sites.
A few other changes:
- X-FRAME-OPTIONS Header: it can be used to prevent a site from being included in a frame. This option exists in other browsers as well (IE, Safari, Chrome). Some of the recent 3.6 versions of Firefox already included it and NoScript implemented it. CSP implements a more fine grained restriction on framing.
- User-Agent Header: Firefox 4 uses a less verbose user agent header which makes it a bit harder to track users
- Do-Not-Track Features: More about this later. It does signal sites if you don't want to be tracked.