Search This Blog

Showing posts with label Moziila. Show all posts

Google and Mozilla Develop an API for HTML Sanitization

 

Google, Mozilla, and Cure53 engineers have collaborated to create an application programming interface (API) that offers a comprehensive solution to HTML sanitization. The API will be used in upcoming versions of the Mozilla Firefox and Google Chrome web browsers. 

HTML sanitization is the process of reviewing an HTML document and creating a new HTML document that only contains the "secure" and desired tags. By sanitizing any HTML code submitted by a user, HTML sanitization can be used to defend against attacks like cross-site scripting (XSS).

Sanitation is usually carried out using either a whitelist or a blacklist strategy. Sanitization can be done further using rules that define which operations should be performed on the subject tags. 

When rendering user-generated content or working with templates, web applications are often expected to manage dynamic HTML content in the browser. Client-side HTML processing often introduces security flaws, which malicious actors exploit to stage XSS attacks, steal user data, or execute web commands on their behalf. 

“Historically, the web has been confronted with XSS issues ever since the inception of JavaScript,” Frederik Braun, security engineer at Mozilla, said. “The web has an increase in browser capabilities with new APIs and can thus be added to the attacker’s toolbox.” 

To protect against XSS attacks, many developers use open-source JavaScript libraries like DOMPurify. DOMPurify takes an HTML string as input and sanitizes it by deleting potentially vulnerable parts and escaping them. 

“The issue with parsing HTML is that it is a living standard and thus a quickly moving target,” Braun said. “To ensure that the HTML sanitizer works correctly on new input, it needs to keep up with this standard. The failure to do so can be catastrophic and lead to sanitizer bypasses.” 

The HTML Sanitizer API incorporates XSS security directly into the browser. The API's sanitizer class can be instantiated and used without the need to import external libraries. 

“This moves the responsibility for correct parsing into a piece of software that is already getting frequent security updates and has proven successful in doing it timely,” Braun said. According to Bentkowski, browsers already have built-in sanitizers for clipboard info, so repurposing the code to extend native sanitization capabilities makes perfect sense.

Security System Enhanced by Google and Mozilla

 

The development teams of Google and Mozilla shared their progression regarding the minimization of classic web security attack vectors such as cross-site request forgery (CSRF) and cross-site scripting (XSS). The latest browser security features present assurance of destroying or at least bringing down the classic web security attack vectors. 

Google elaborated in a blog post last year on how to strengthen its security mechanism and safeguard its applications from usual web susceptibilities and the features safeguarding its applications are Content Security Policy and Trusted Types - depends on script nonces, Cross-Origin Opener Policy and Fetch Metadata Request Headers. 

These security mechanisms safeguard the application from injected strikes and enhance isolation capacities. Google stated that even if the small segment of the malicious script is inserted by an attacker, “the browser will refuse to execute any injected script which doesn’t identify itself with the current nonce” and this eases down the impact of any server-side inserted susceptibilities containing reflected XSS and reflected XSS. 

The Content Security Policy (CSP) was refined by the enforcement of these developments by Google and the tech giant stated that “CSP has mitigated the exploitation of over 30 high-risk XSS flaws across Google in the past two years. Nonce-based CSP is supported in chrome, Firefox, Microsoft Edge, and other Chromium-based browsers. Partial support for this variant of CSP is also available in Safari”.

Meanwhile, Mozilla spokesperson stated to The Daily Swig that Mozilla’s security was boosted due to the injection of Project Fission last year and the Firefox security team has played a massive role in making the internet more secure for all users. He added that the primary aim for this team has been Project Fission and Mozilla’s enforcement of Site Isolation in Firefox; currently. the Project Fission can be tried out in the Nightly version of the search engine.

Project Fission along with Embedded Policy and Cross-Origin Opener is the component of Mozilla’s mitigations against Spectre-style strikes. The search engines must add the security mitigations that support today’s browsing experience. 

Santiago Diaz, who is working as an information security manager at Google stated that on the inserted side Trusted Types and CSP3 are “battle-tested mitigations that make the vast majority of DOM-based XSS unexploitable when used correctly”.