Twitter implements its Content Security Policy for Firefox 4 to block cross-site scripting attacks
Twitter is deploying one of the security features Mozilla built into the new Firefox 4 Web browser, in an ongoing quest to improve security for its users.
Mozilla launched Firefox 4 on March 22 with a number of security features, including features to thwart cross-site scripting (XXS) attacks. Twitter announced on the same day that it had rolled out Mozilla’s Content Security Policy standard on to the mobile version of its site to test “a potentially powerful anti-XSS tool in a controlled setting”, wrote Mark Percival, Twitter’s mobile engineer, on the Twitter engineering blog.
Twitter expects to implement CSP across the rest of the site, he said. This move comes less than a week after Twitter announced it will give users the option to use the HTTPS protocol to secure their activity on the Website.
Mozilla packaged a number of new security features other than CSP in Firefox 4, including a “Do Not Track” feature that allows users to “opt out” out of behavioural tracking by advertisers, according to Nightingale. Firefox 4 also forces Websites to maintain HTTPS connections with users the entire time they are on the site and locally encrypt bookmark and history to keep the information private.
A new “Instant Web Site ID” feature offers one-click access to a site’s identity information, including details like how many times a user has visited it, an improved Private Browsing mode and a “Forget This Site” feature that removes any trace of having visited the site.