CyberSecurityBoard
Sponsor Register Login

Mozilla decides Trusted Types is a worthy security feature The Register

Mozilla last week revised its position on a web security technology called Trusted Types, which it has decided to implement in its Firefox browser.
The browser biz will help reduce a longstanding form of web attack that relies on injected code.
Mozilla won't implement Trusted Types in Firefox immediately - there are still some technical issues to sort out.
The org's decision is a win for web security, which has been looking up since May 2020 when Trusted Types shipped in Chrome 83 and Edge 83.
Trusted Types addresses DOM-XSS, or document object model cross-site scripting - considered to be both rather dangerous and fairly common.
XSS attacks should become less common as more websites revise their code to take advantage of Trusted Types.
Or, as Vogelheim continued, they are made possible when developers fail to sanitize their app's inputs.
With Trusted Types enabled, the browser expects a TrustedHTML object instead of a text snippet.
Trusted Types addresses the risk of unsafe input by limiting the attack surface via Content Security Policy and a content filtering mechanism.
Since the capability first showed up three years ago, DOM-XSS attacks have become less common in the Chromium ecosystem.
In an October post to the GitHub repo discussing Mozilla's positions on various technologies, Vogelheim notes that Google expects to effectively eliminate DOM-XSS risk as it deploys Trusted Types across all of Google's websites.
I believe that broader support across browsers and broader deployment across websites would be beneficial to the web platform overall.
Toward that end, Niemczura pointed to a post he made in May urging Apple's WebKit team to consider adopting Trusted Types based on successful deployment by Google, Meta, and Microsoft across various websites.
Currently, Trusted Types is present or enforced in about ten percent of Chrome web page loads.
Bruce Perens, a veteran programmer and one of the founders of the Open Source movement, expressed enthusiasm for the technology after deploying it.
Perens said that while Trusted Types are only enforced in some browsers, developers should adapt their web app code to support the XSS defense because he believes Firefox, Safari, and other browsers will eventually include the technology.


This Cyber News was published on go.theregister.com. Publication date: Thu, 21 Dec 2023 11:43:04 +0000


Cyber News related to Mozilla decides Trusted Types is a worthy security feature The Register

Mozilla decides Trusted Types is a worthy security feature The Register - Mozilla last week revised its position on a web security technology called Trusted Types, which it has decided to implement in its Firefox browser. The browser biz will help reduce a longstanding form of web attack that relies on injected code. ...
10 months ago Go.theregister.com
Mozilla decides Trusted Types is a worthy security feature The Register - Mozilla last week revised its position on a web security technology called Trusted Types, which it has decided to implement in its Firefox browser. The browser biz will help reduce a longstanding form of web attack that relies on injected code. ...
10 months ago Packetstormsecurity.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 month ago Aws.amazon.com
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
5 months ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
2 weeks ago Tenable.com
What Is Cloud Security Management? Types & Strategies - Cloud security management is the process of safeguarding cloud data and operations from attacks and vulnerabilities through a set of cloud strategies, tools, and practices. The cloud security manager and the IT team are generally responsible for ...
5 months ago Esecurityplanet.com
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
10 months ago Feeds.dzone.com
Cybersecurity jobs available right now: October 2, 2024 - Help Net Security - As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to ...
1 month ago Helpnetsecurity.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
11 months ago Microsoft.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
10 Best Security Service Edge Solutions - Security Service Edge is an idea in cybersecurity that shows how network security has changed over time. With a focus on customized solutions, Security Service Edge Solutions leverages its expertise in multiple programming languages, frameworks, and ...
8 months ago Cybersecuritynews.com
Normalizing Security Culture: Stay Ready - While it may seem like self-promotion or extraneous work, it’s extremely valuable to take the extra time to summarize threats stopped, processes improved, projects completed and team members modeling strong security behavior. Most people don't ...
1 month ago Darkreading.com
6 Best Cloud Security Companies & Vendors in 2024 - Cloud security companies specialize in protecting cloud-based assets, data, and applications against cyberattacks. To help you choose, we've analyzed a range of cybersecurity companies offering cloud security products and threat protection services. ...
8 months ago Esecurityplanet.com
Protecting User Privacy by Removing Personal Data from Data Broker Sites - As part of its new subscription service model, Mozilla Firefox is offering its users the possibility of finding and removing their personal and sensitive information from data brokers across the internet. To eliminate their phone numbers, e-mail, ...
8 months ago Cysecurity.news
Five business use cases for evaluating Azure Virtual WAN security solutions - To help organizations who are evaluating security solutions to protect their Virtual WAN deployments, this article considers five business use cases and explains how Check Point enhances and complements Azure security with its best-of-breed, ...
5 months ago Blog.checkpoint.com
Imperva Named an Overall Leader in the KuppingerCole Leadership Compass: API Security and Management Report - We're thrilled to share that Imperva has achieved the prestigious status of Overall Leader in the KuppingerCole Leadership Compass: API Security and Management report. A notable achievement is being recognized as one of the few non-gateway-first ...
11 months ago Imperva.com
CVE-2024-26706 - In the Linux kernel, the following vulnerability has been resolved: parisc: Fix random data corruption from exception handler The current exception handler implementation, which assists when accessing user space memory, may exhibit random data ...
7 months ago Tenable.com
IaaS vs PaaS vs SaaS Security: Which Is Most Secure? - Security concerns include data protection, network security, identity and access management, and physical security. While IaaS gives complete control and accountability, PaaS strikes a compromise between control and simplicity, and SaaS provides a ...
10 months ago Esecurityplanet.com
Cybersecurity Career Pathways for Students - Whether aspiring to become a cybersecurity analyst, ethical hacker, or security engineer, this article serves as a valuable resource for students aiming to embark on a successful cybersecurity career. As an analyst, students will be responsible for ...
10 months ago Securityzap.com
A Practitioner's Guide to Security-First Design - Instead, organizations must proactively fortify their defenses and enter the era of security-first design - an avant-garde approach that transcends traditional security measures. Security-first design is an approach that emphasizes integrating robust ...
10 months ago Feeds.dzone.com
Benefits and challenges of managed cloud security services - Too many organizations lack the in-house cloud security expertise and resources needed to protect cloud assets effectively. One option to address these challenges is managed cloud security. Outsourcing cloud security to a third party not only helps ...
8 months ago Techtarget.com
The First 10 Days of a vCISO’S Journey with a New Client - Cyber Defense Magazine - During this period, the vCISO conducts a comprehensive assessment to identify vulnerabilities, engages with key stakeholders to align security efforts with business objectives, and develops a strategic roadmap to prioritize actions and resources. If ...
1 month ago Cyberdefensemagazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)