Twitter improves security on mobile site using Firefox 4 features


Twitter improves security on mobile site using Firefox 4 features

Jenny Williams

Twitter is using Mozilla's new Content Security Policy (CSP) in Firefox 4 to help prevent web-based attacks on its mobile site.

Mozilla has made Firefox 4 available to download for Windows, Mac OS X and Linux. The latest version includes security features, 'do not track' and CSP.


On its Engineering blog, Twitter says it has been testing the new CSP feature for the past few weeks. "This policy is a standard developed by Mozilla that aims to thwart cross-site scripting (XSS) attacks at their point of execution, the browser."

"Although activating CSP is easy, in order for it to work correctly you may need to modify your site. In our case it meant removing all inline Javascript," Twitter advised.

"Allowing sites like Twitter to disable inline Javascript and whitelist external assets is a huge step towards neutralising XSS attacks," it continued in the blog post.

Brandon Sterne from Twitter's security team said in a blog post: "We expect CSP to be used widely and adopted very quickly. Popular commercial websites like Twitter are already using it, and there are CSP plug-ins for many of the popular content management systems like Wordpress, Django and Drupal. If this works out according to plan, the curtain will soon be coming down on a broad range of nasty web bugs."

Twitter hopes sites that depend on client-side code and user-generated content will be able to make use of the CSP standard in other browsers soon.



Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy