My implementation of the Content Security Policy server logic for WordPress is now available as a WordPress Plugin.
Fig.1 – CSP configuration page making a policy recommendation.
Fig. 2 – New panel in media uploader allows direct creation of script files in the uploads directory.
Lately, I have been implementing the server logic for Content Security Policy in WordPress. I was very pleased to see that the WordPress community opened up the tracking bug for this feature around the time we first blogged about it. One of the neat things about working for Mozilla is that contributions to other important open source projects are treated as valid, valuable uses of our time.
Today, I posted my first patch to WordPress, still a work in progress, which adds an administration panel (see below) for configuring CSP. One of the features I’m rather happy with is “Suggest Policy”, which analyzes the content in the user’s blog and recommends a policy based on the content types and sources it finds.
Next I’ll be working on moving the remaining inline script into external script files. Stay tuned for further updates!
I posted this over at the Mozilla Security Blog but wanted to share it here as well. I am excited to report that Content Security Policy is available for testing! We’ve been working hard on implementing the CSP spec and now the new features are ready to be put to the test.
I would like to encourage any interested parties, whether web security researchers or website administrators, to head over to Mozilla Try Server and grab a preview build of Firefox with CSP enabled:
 |
Windows: | 1256079015-win32.zip |
 |
Mac OS X: | 1256079015-macosx.dmg |
 |
Linux: | 1256079015-linux.tar.bz2 |
Once you have it, you can test the core functionality of CSP at the demo page I set up on my Mozilla web space. There is a lot more information about this project there and I look forward to any feedback you have to share with me.
I published another set of changes to the Content Security Policy proposal. We are getting very close to the implementation phase now, and I’ve made a final call for feedback. Sid and I are in the process of moving the documentation to the Mozilla Wiki, where the final specification will live.
I updated my web security proposal with a fairly large set of changes. I removed Cross Site Request Forgery from the scope of the proposal and instead will focus on the implementation of the Origin header. The syntax has also been expanded to allow policy creation for a larger set of content types, e.g. not just JavaScript.
I published a proposal for a set of browser security features that I hope to get turned into an open web standard and implemented in a future version of Firefox. The goal is create a mechanism that allows websites to communicate security policies to the browser which dictate how web content should behave.