An individual XSS can be easily remediated with contextual output encoding per the OWASP XSS Prevention Cheat Sheet. Although an individual XSS can easily be addressed, the overall cat and mouse game of effectively ridding an application of XSS can be very difficult. To combat this problem a new security feature, Content Security Policy, has been introduced into the Mozilla Firefox browser.
Here's a basic overview of the CSP process:
- Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use.
CSP Enabled Browsers
Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers.
- Spec: https://wiki.mozilla.org/Security/CSP/Specification
- Developer CSP Link: https://developer.mozilla.org/en/Introducing_Content_Security_Policy
- W3C Web App Security Working Group - CSP Link: http://www.w3.org/2010/07/appsecwg-charter#deliverables
- Mozilla Blog Post on CSP: http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/
- Sample Policy Definitions : https://wiki.mozilla.org/Security/CSP/Specification#Sample_Policy_Definitions
- Notes from one of the CSP creators (Brandon Sterne) : http://people.mozilla.com/~bsterne/content-security-policy/
Michael Coates (@_mwc) & Brandon Sterne (@bsterne)