I recently discovered this page, which describes Mozilla’s solution for prevention of XSS (Cross-Site Scripting) available as a Firefox Extension. Here’s the HTTP response from my site:
hank@tardis:~$ wget -S http://www.ralree.com --2009-06-30 09:52:13-- http://www.ralree.com/ Resolving www.ralree.com... 126.96.36.199 Connecting to www.ralree.com|188.8.131.52|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 30 Jun 2009 13:49:54 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a Phusion_Passenger/2.1.3 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/184.108.40.20635 X-Powered-By: PHP/5.2.8 X-Pingback: http://www.ralree.com/newblog/xmlrpc.php Last-Modified: Tue, 30 Jun 2009 13:49:21 GMT X-Content-Security-Policy: allow self; img-src *; object-src *.ralree.com *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com friendfeed.com; style-src *.ralree.com *.ralree.info Content-Length: 57457 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
As you can see, my content security policy is sent as an HTTP header on all HTTP responses from my site. I basically stole an example from this page. I’ve attached it in the .htaccess file in my site’s root, before everything else in there, like so:
<IfModule mod_headers.c> Header set X-Content-Security-Policy "allow self; img-src *; object-src *.ralree.com *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com friendfeed.com; style-src *.ralree.com *.ralree.info" </IfModule>
I highly recommend everyone with commenting activated on their blog enable this, since XSS is a serious pain. This seems to work very well on Site5, where mod_headers was simply enabled out of the box.