Monday, July 25, 2011
Declarative Security - Browser Addons for Mozilla Firefox
- Clickjacking Defense - Declarative Sec Detector
The X-FRAME-OPTIONS sets a restriction on the framing of a web page for a particular domain. It uses the value DENY and SAMEORIGIN for rendering the contents into a child frame.It is possible to stop the rendering completely in a child frame using DENY as a parameter. The SAMEORIGIN parameter declares that the content can only come
from the parent site and that no third party content rendering is allowed.This addon scans all the HTTP response headers that accompany with the web page and raises a notification in the status bar showing whether the declarative security for Clickjacking is applied on the respective domain or not.
For more details Refer: http://www.usenix.org/event/collsec10/tech/full_papers/Sood.pdf
- HTTP Content Security Policy Detector
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP is designed to be fully backward compatible; browsers that don't support it still work with servers that implement it, and vice-versa. Browsers that don't support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content.
For more details refer: https://developer.mozilla.org/en/introducing_content_security_policy