Google is taking another security step for its Gmail cloud mail service, by implementing the standard known as the Content Security Policy (CSP).
CSP is a World Wide Web Consortium (W3C) standard, which is particularly effective in preventing cross-site scripting (XSS). The goal is to enable secure mash-ups, address click-jacking, and to create a more robust web security environment through light-weight policy expression that meshes with HTML5's built-in security policies.
In Google’s case, the search giant will use it to vet extension code.
“There are many great extensions for Gmail. Unfortunately, there are also some extensions that behave badly, loading code which interferes with your Gmail session, or malware which compromises your email’s security,” said Danesh Irani, a software engineer for Gmail Security, in a blog. “Gmail’s CSP protects you, by stopping these extensions from loading unsafe code.”
Most popular (and well-behaved) extensions have already been updated to work with the CSP standard, Irani said—so users should download the latest versions of them from Chrome.
The upgrade continues Google’s ongoing Gmail upgrades, which also include serving images through secure proxy servers, rolling out two-factor authentication and requiring HTTPS as the default mechanism.
Specific to XSS, Google has also developed an internal web application security scanning tool, codenamed Inquisition. The scanner is built entirely on Google technologies like Chrome and Google Cloud Platform, also with support for HTML5 features. And it’s being used in conjunction with the open-source Firing Range, which is a test ground for automated scanners. It’s a Java application built on Google App Engine and contains a wide range of XSS and, to a lesser degree, other web vulnerabilities.
“Securing modern web applications can be a daunting task—doubly so if they are built (quickly) with diverse languages and technology stacks,” said Claudio Criscione, security engineer for Google.
According to High-Tech Bridge, more than 90% of XSS vulnerabilities can be exploited in such a manner that even advanced users and IT staff will not suspect nefarious activity. XSS does not require much social engineering or interaction with humans; in fact, more than 95% of XSS vulnerabilities can be used to perform sophisticated drive-by-download attacks, infecting users who just open a harmless-looking URL they trust.