Category: Mozilla

Update to CSP Bookmarklet January 20th, 2011

It was pointed out to me that my CSP bookmarklet was using a feature added in ECMAScript 5, Object.keys, and thus did not work in older browsers. I added a bit of code to address this:

Object.keys = Object.keys || function(obj) {
  var keys = [];
  for (var key in obj) {
    if (obj.hasOwnProperty(key))
      keys.push(key);
  }
  return keys;
}

Browsers that don’t natively support Object.keys will now have that functionality added when the bookmarklet runs. Go ahead, give it a try: Recommend CSP

As before, the full source is posted for you to browse as well.

Content Security Policy Recommendation Bookmarklet October 14th, 2010

I wrote a bookmarklet that analyzes the content on the current page and recommends a Content Security Policy based on the types of content it finds on the page and the sources of that content. The implementation also takes into account resources that are dynamically added to the page by JavaScript.

For instance, today I learned that ReCAPTCHA loads script both from api.recaptcha.net, but also from www.google.com. Note to self: figure out why Google needs to know about every ReCAPTCHA load.

You can test it out by clicking the following bookmarklet: Recommend CSP

If you find it useful, drag it to your bookmarks toolbar and you can use it from any web page. Feel free to check out the bookmarklet source as well.

In the future, I would like to add notifications for potential inline script violations.

Jetpack: Unread Messages in Gmail App Tab August 13th, 2010

One of the new features in Firefox 4 is the App Tab which lets users persist a tab that they use continuously. Firefox shrinks the tab down to just the favicon and places it in a special area for these tabs which generally aren’t closed by the user. The feature is great, but one of the side effects is that Gmail App Tabs don’t show anymore the part of the <title> that indicates unread messages.

That’s where my new Jetpack (a cool new, lightweight (and secure!) way to write Add-ons) comes in.

Go install Unread Gmail Favicon from AMO and the favicon for that tab will indicate the number of unread messages when you have them like so:

WordPress and Content Security Policy April 12th, 2010

Lately, I have been implementing the server logic for Content Security Policy in WordPress. I was very pleased to see that the WordPress community opened up the tracking bug for this feature around the time we first blogged about it. One of the neat things about working for Mozilla is that contributions to other important open source projects are treated as valid, valuable uses of our time.

Today, I posted my first patch to WordPress, still a work in progress, which adds an administration panel (see below) for configuring CSP. One of the features I’m rather happy with is “Suggest Policy”, which analyzes the content in the user’s blog and recommends a policy based on the content types and sources it finds.

Next I’ll be working on moving the remaining inline script into external script files. Stay tuned for further updates!

Content Security Policy – Preview Builds October 1st, 2009

I posted this over at the Mozilla Security Blog but wanted to share it here as well. I am excited to report that Content Security Policy is available for testing! We’ve been working hard on implementing the CSP spec and now the new features are ready to be put to the test.

I would like to encourage any interested parties, whether web security researchers or website administrators, to head over to Mozilla Try Server and grab a preview build of Firefox with CSP enabled:

Windows: 1256079015-win32.zip
Mac OS X: 1256079015-macosx.dmg
Linux: 1256079015-linux.tar.bz2

Once you have it, you can test the core functionality of CSP at the demo page I set up on my Mozilla web space. There is a lot more information about this project there and I look forward to any feedback you have to share with me.