Twitter rolls out its Content Security Policy to block cross-site scripting attacks from the browser on its mobile Website. The change affects only Firefox 4 users accessing mobile.twitter.com at this time.
Twitter is deploying one of the security features Mozilla built into the new
Firefox 4 Web browser in an ongoing quest to improve security for its users.
launched Firefox 4 on March 22 with a number of security features,
including features to thwart cross-site scripting attacks. Twitter announced on
the same day that it had rolled out Mozilla's
Content Security Policy standard on to the mobile version of its site to
test "a potentially powerful anti-XSS tool in a controlled setting,"
wrote Mark Percival, Twitter's mobile engineer, on the Twitter
CSP is intended to stop XSS attacks within the browser and prevent the
execution of malicious code as pages are being loaded. In a typical XSS attack,
accessing the page ends up executing the code. When a Website enables CSP and
Jonathan Nightingale, Mozilla's director of Firefox development, told eWEEK.
Twitter enabled CSP by including the policy in the returned site headers, "X-Content-Security-Policy,"
according to Percival. CSP also allows site administrators to include a
Object Notification) reports of any violations, potentially alerting them to
XSS attempts on the site, Percival said.
While activating CSP on Twitter was "easy," there is some work
involved to get it to work correctly, Percival said. In Twitter's case, all
necessary" to speed up load times, he said.
external assets such as profile images and style sheets to a whitelist so
that the browser could load them without triggering a CSP violation. "However,
for many sites it is not going to be as simple as flipping a switch,"
Most sites will require some work, either on the site or to alter
testing, Twitter found a "surprising" number of Internet service
their own caching servers, according to Percival. Twitter now mandates SSL
for Firefox 4 users accessing the mobile page, so that the ISPs can no longer
alter content, he said.
There were also several "common" Firefox extensions that inserted
Twitter expects to implement CSP across the rest of the site, he said. This
move comes less than a week after Twitter announced it will give users the
option to use the HTTPS protocol to secure their activity on the Website.
Mozilla packaged a number of new security features other than CSP in Firefox
4, including a "Do Not Track" feature that allows users to "opt out"
out of behavioral tracking by advertisers, according to Nightingale. Firefox 4
also forces Websites to maintain HTTPS connections with users the entire time
they are on the site and locally encrypt bookmark and history to keep the
A new "Instant Web Site ID" feature offers one-click access to a
site's identity information, including details like how many times a user has
visited it, an improved Private Browsing mode and a "Forget This Site"
feature that removes any trace of having visited the site.