Cross Site Scripting (XSS) attacks force the user’s browser to execute malicious JavaScript code within the security context of the designated victim website.
Mozilla intends to put an end to XSS attacks in the next version of its popular Firefox 3 browser. The Alpha 7 development release includes support for a new W3C working draft specification that is intended is secure XML over HTTP requests (often referred to as XHR) which are often the culprit when it comes to XSS attacks. XHR is the backbone of Web 2.0 enabling a more dynamic web experience with remote data.
"Cross site XMLHttpRequest will enable web authors to more easily and safely create Web mashups," stated Mike Schroepfer, Mozilla's vice president of engineering.
"It is one of many advanced Web standards that we are implementing in Firefox 3 and look forward to the world adopting."
The W3C working draft is officially titled, "Enabling Read Access for Web Resources." It's intended to define a mechanism by which Web developers can safely provide cross-site Web resource access. The specification will let developers define via an HTTP header or an XML instruction which sites are allowed read-access and which are not.
A typical XSS attack vector is one in which a malicious Web site reads the credentials from another that a user has visited. The new specification could well serve to limit that type of attack though it is still incumbent upon Web developers to be careful with their trusted data.
The W3C working draft warns that "user agents which implement this specification should take care not to expose other trusted data (cookies, HTTP header data) inappropriately."
Of course, it's also wise to consider the source.
"Application authors should be aware that content retrieved from another site is not itself trustable," the W3C working draft advises. "Authors should take care to protect against exposing themselves to cross-site scripting attacks by rendering or executing the retrieved content directly without validation."
In addition to the new XSS support in Firefox 3 Alpha 7, Mozilla developers have also fixed some bugs and implementation errors that cropped up in the Alpha 6 release, which came out in early July.
The latest release isn't just about bug fixes and new feature support. Mozilla developers have actually dropped support for the SOAP (define) Web services messaging protocol, according to the official Alpha 7 release notes. (It still runs in Firefox 3, however.)
"The SOAP implementation dropped from Firefox 3 was only available to extension authors, who have many other more modern implementations to choose from," Schroepfer explained. "We are, in general, removing as much old code from the core browser as possible to improve security, reduce download size, and allow Web and extension authors to choose the latest support libraries they need."
Firefox 3 is Mozilla's next generation browser and will be the successor to the current 2.x browser. The open source group has been working on Firefox 3 (code name Gran Paradiso) since October of 2006 when the first Firefox 3 alpha appeared.
At the time the Alpha 6 browser was released, Mozilla had projected that the Beta 1 release would be out by July 31. That obviously didn't happen.
"A firm date for Beta 1 has not yet been set," Schroepfer said. "We are shipping milestones every 6 weeks (next up is Milestone 8) and when the quality of the milestones are ready for broad use we'll ship Beta1."
