Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’

The Firefox and Chrome development teams share their progress in minimizing the impact of classic web attacks



ANALYSIS New browser security features offer the tantalizing promise of killing – or at least significantly reducing – many of the classic web security attack vectors.


Minimizing the potency of classic attack vectors such as cross-site scripting (XSS) and cross-site request forgery (CSRF) promises to herald what some are calling the ‘post-XSS world’.


The improvements represented a culmination of several years of work by many people in the industry, realized in specifications and implementations in Google Chrome 83 and Mozilla Firefox 79.


Security improvement roster


A blog post by Google back in July describes a set of security mechanisms to protect its applications from common web vulnerabilities.


These mechanisms include Trusted Types, Content Security Policy based on script nonces, Fetch Metadata Request Headers, and the Cross-Origin Opener Policy that collectively protect applications.


These features offer protection against injection attacks, alongside improved isolation capabilities.


Read more of the latest browser security news


For example, the script nonce attribute, set to an unpredictable token for every page load, “acts as a guarantee that a given script is under the control of the application”.


Accord ..