X-Content-Type-Options, NoScript and Browserscope
Posted by: Giorgio in CSRF, ABE, Google, Mozilla, Security, NoScriptNoScript 2.0.4 has been released yesterday, with some bug fixes and one main addition: strict X-Content-Type-Options: nosniff enforcement.
NoScript, for a long time, had already being enforcing content type checks on cross-site Javascript and CSS includes, and recent Firefox versions introduced similar built-in mitigations, albeit limited to stylesheets, in order to mitigate CSS-based data theft.
Nevertheless, X-Content-Type-Options offers a nice opportunity to further hardening, by allowing web sites to opt-in for the strictest checks, on more file types and also same-domain, in a theoretically compatible way.
A side effect of this addition is that Firefox 4 + NoScript now scores 14/16 on Browserscope's Security Test, in "Allow Scripts Globally" mode (i.e., without blocking any JavaScript or active content)!
For those who don't know it, Browserscope is a project which aims at profiling and comparing browser capabilities, with a special eye for security features.
By comparison, only Google Chrome boasts a higher score of 15/16, because it supports both the HTTP Origin Header and the HTML 5 Sandbox Attribute, which are not implemented yet by Firefox nor by NoScript. For the curious, "vanilla" Firefox 4 nightlies stop at 11/15 (even if you're going to read 12/15 because of a XSS test bug), Firefox 3.6.12 + NoScript is at 13/15, while disabling NoScript makes it fall down to 9/16 (reported as 10/16 because of the aforementioned bug).
However, a fair comparison would need to cover also Content Security Policies, a very powerful and flexible security technology developed by Mozilla (test should be added soon, it seems) and countermeasures for cross-zone CSRF attacks (e.g. against routers), which are currently provided by NoScript and, partially, by Opera (Mozilla is working on something, too)*. If and when these features get tested, Firefox 4 + NoScript will lead at 16/18, followed by Chrome at 15/18.
That said, I'd really love to see Origin and Sandbox implemented natively by Firefox, for a perfect 18/18. Which is, I guess, the real raison d'être of Browserscope: getting good stuff implemented everywhere by the power of childish envy ;)
* I won't advocate including tests for other non-blocking security features provided by NoScript, such as ClearClick anti-Clickjacking, because they're not suitable for web-based automation.