Site Security Policy From Mozilla

The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2007 saw dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.

It seems that while many sites are aware of these threats, and have programs in place to find and remediate the vulnerabilities, the sheer size and complexity of the websites make complete remediation of the security holes implausible. Browser vendors can do more to protect users from client-side attacks involving websites that are vulnerable to the classes of attacks mentioned above. This document proposes a mechanism that enables websites to define Site Security Policy which browsers can choose to enforce, restricting the capabilities of web content that make these attacks possible.

One might ask "if the vulnerable websites are aware of their shortcomings in Application Security, why won't they address the root cause and fix their vulnerabilities?" It is true that the ideal solution is to develop web applications free from any exploitable vulnerabilities. Real world security, however, is usually provided in layers and Site Security Policy intends to be only one layer. Even the hypothetical vulnerability-free website can benefit from Site Security Policy. Though the site may be free of vulnerabilities today, a new vulnerability may be introduced tomorrow which could remain fully mitigated by Site Security Policy until it is detected and fixed properly.