Safari adds strict CSP support, catches up with other major browsers


Ben Dickson 05 October 2021 at 11:09 UTC

Updated: 06 October 2021 at 13:20 UTC

Apple gives users better defense against XSS and other vulnerabilities

Safari, the default browser for Apple devices, will soon use a necessary security feature to better protect against script injection attacks.

According to a thread on the Bug Tracking Platform for WebKit, the browser engine that powers Safari, Apple developers have added Strict Content Security Policy (CSP) support to WebKit Nightly. , the preliminary version of the engine.

Discussions about adding the strict CSP have been ongoing since 2018, the thread shows.

The technical detail

Content Security Policy is an HTTP response header that sets restrictions on JavaScript, CSS, and other client-side resources allowed by the browser. CSP is primarily used to stop cross-site scripting (XSS), clickjacking, and other scripting attacks.

The original CSP specification was inflexible and limited, which forced developers to compromise on the security of their web applications. A strict CSP, marked by the directive, fills these gaps.

“Without, the CSP should include a list of hosts from which the page is allowed to load scripts,” said Dominic Couture, senior application security engineer at GitLab. The daily sip.

“It’s a tedious task and there are risks of bypassing the CSP if the attacker is able to host scripts on one of the authorized hosts. “

DO NOT MISS What future for the safety of browsers? Discover the latest features for mobiles and desktops

Strict CSP uses an unpredictable random value called “nonce” that the web application safely generates on the server side to validate scripts used on the page.

The strict specification makes the CSP more manageable for developers and XSS exploits more difficult for attackers.

“Strict CSP balances security and flexibility for developers. Therefore, this should make it easier to deploy CSP while maintaining security, ”said Navigator Security Engineer Jun Kokatsu. The daily sip.

Catch up

Other major browsers like Chrome, Firefox, and Edge have supported this feature for a long time. Safari’s lack of support has been a point of frustration for developers who wanted to secure their websites on all platforms.

“This is very important for iOS users, where all browsers are forced to use Safari’s renderer (ie WebKit),” Kokatsu said.

“In many websites where they chose to deploy Strict CSP, all iOS users had fallback CSP mitigation which basically consisted of allowing all scripts (as Safari does not support).”

Couture added, “This new support will make CSP easier to maintain for engineers with feature parity across all major browsers.

“That said, the biggest impact is on Safari users, who will be more secure on the Internet because they will benefit from the same security features as users of other browsers.”

READ MORE Better future? Safari browser extension gears up for Apple’s “post-privacy” world

Previous After COVID year, Fox Sports relies on exceptional sound
Next Newswire & Press Release / Curtiss-Wright Launches Its Most Powerful GPU Module For Graphics, Video Processing, And Tactical AI / ML - Electronics / Instrumentation / RFID - Curtiss-Wright Corporation

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *