Improving Browser Security with CSP

Tuesday, 22 March 2011

If you are using Firefox 4, you now have an extra layer of security when accessing mobile.twitter.com.

Over the past few weeks we’ve been testing a new security feature for our mobile site. It is called a Content Security Policy, or CSP. This policy is a standard developed by Mozilla that aims to thwart cross site scripting (XSS) attacks at their point of execution, the browser. The upcoming release of Firefox 4 implements CSP, and while the mobile site may not get a high volume of desktop browser traffic (the desktop users hitting that site typically have low bandwidth connections), it has given us an opportunity to test out a potentially powerful anti-XSS tool in a controlled setting.

CSP IN A NUTSHELL

In a typical XSS attack, the attacker injects arbitrary Javascript into a page, which is then executed by an end-user. When a website enables CSP, the browser ignores inline Javascript and only loads external assets from a set of whitelisted sites. Enabling CSP on our site was simply a matter of including the policy in the returned headers under the CSP defined key, ‘X-Content-Security-Policy’.

The policy also contains a ‘reporting URI’ to which the browser sends JSON reports of any violations. This feature not only assists debugging of the CSP rules, it also has the potential to alert a site’s owner to emerging threats.

IMPLEMENTING THE FEATURE

Although activating CSP is easy, in order for it to work correctly you may need to modify your site. In our case it meant removing all inline Javascript. While it is good practice to keep inline Javascript out of your HTML, it is sometimes necessary to speed up the load times on slower high-latency mobile phones.

We began our explorations by restricting the changes to browsers that support CSP (currently only Firefox 4) in order to lessen the impact on users. Next, we identified all the possible locations of our assets and built a rule set to encompass those; for example, things such as user profile images and stylesheets from our content delivery network.

Our initial trials revealed that some libraries were evaluating strings of Javascript and triggering a violation, most notably jQuery 1.4, which tests the ‘eval’ function after load. This wasn’t totally unexpected and we modified some of the libraries to get them to pass. Since jQuery fixed this in 1.5, it is no longer an issue.

INITIAL RESULTS

After a soft launch, we ran into some unexpected issues. Several common Firefox extensions insert Javascript on page load, thereby triggering a report. However, even more surprising were the number of ISPs who were inadvertently inserting Javascript or altering image tags to point to their caching servers. It was the first example of how CSP gave us visibility into what was happening on the user’s end. We addressed this problem by mandating SSL for Firefox 4 users, which prevents any alteration of our content.

Today CSP is one hundred percent live on mobile.twitter.com and we are logging and evaluating incoming violation reports.

FINAL THOUGHTS

Allowing sites like Twitter to disable inline Javascript and whitelist external assets is a huge step towards neutralizing XSS attacks. However, for many sites it is not going to be as simple as flipping a switch. Most sites will require some work and you may need to alter a few third-party Javascript libraries. Depending on how complex your site is, this could entail the bulk of your effort.

We hope other browsers will adopt the CSP standard, especially as more sites depend on client-side code and user-generated content. The simple option of being able to disable inline Javascript and limit external sources gives sites the ability to stop the vast majority of today’s attacks with minimal effort.

Over the next couple of months we plan to implement a Content Security Policy across more of Twitter, and we encourage you to request support for this standard in your preferred browser.

ACKNOWLEDGEMENTS

The following people at Twitter contributed to the CSP effort: John Adams, Jacob Hoffman-Andrews, Kevin Lingerfelt, Bob Lord, Mark Percival, and Marcus Philips

FURTHER READING

Mozilla CSP announcement

Mozilla CSP Doc Center

CSP Spec

CSP Demo Page

—Mark (@mdp)