Ben Dickson 05 October 2021 at 11:09 UTC
Updated: 06 October 2021 at 13:20 UTC
Apple gives users better defense against XSS and other vulnerabilities
Safari, the default browser for Apple devices, will soon use a necessary security feature to better protect against script injection attacks.
According to a thread on the Bug Tracking Platform for WebKit, the browser engine that powers Safari, Apple developers have added Strict Content Security Policy (CSP) support to WebKit Nightly. , the preliminary version of the engine.
Discussions about adding the strict CSP have been ongoing since 2018, the thread shows.
The technical detail
Content Security Policy is an HTTP response header that sets restrictions on JavaScript, CSS, and other client-side resources allowed by the browser. CSP is primarily used to stop cross-site scripting (XSS), clickjacking, and other scripting attacks.
The original CSP specification was inflexible and limited, which forced developers to compromise on the security of their web applications. A strict CSP, marked by the directive, fills these gaps.
“Without, the CSP should include a list of hosts from which the page is allowed to load scripts,” said Dominic Couture, senior application security engineer at GitLab. The daily sip.
“It’s a tedious task and there are risks of bypassing the CSP if the attacker is able to host scripts on one of the authorized hosts. “
DO NOT MISS What future for the safety of browsers? Discover the latest features for mobiles and desktops
Strict CSP uses an unpredictable random value called “nonce” that the web application safely generates on the server side to validate scripts used on the page.
The strict specification makes the CSP more manageable for developers and XSS exploits more difficult for attackers.
“Strict CSP balances security and flexibility for developers. Therefore, this should make it easier to deploy CSP while maintaining security, ”said Navigator Security Engineer Jun Kokatsu. The daily sip.
Catch up
Other major browsers like Chrome, Firefox, and Edge have supported this feature for a long time. Safari’s lack of support has been a point of frustration for developers who wanted to secure their websites on all platforms.
“This is very important for iOS users, where all browsers are forced to use Safari’s renderer (ie WebKit),” Kokatsu said.
“In many websites where they chose to deploy Strict CSP, all iOS users had fallback CSP mitigation which basically consisted of allowing all scripts (as Safari does not support).”
Couture added, “This new support will make CSP easier to maintain for engineers with feature parity across all major browsers.
“That said, the biggest impact is on Safari users, who will be more secure on the Internet because they will benefit from the same security features as users of other browsers.”
READ MORE Better future? Safari browser extension gears up for Apple’s “post-privacy” world
No Comment