A browser supporting CSP ignores code that is not in the whitelist. Browsers who do not support CSP ignore the policy.
CSP is currently only supported by Firefox 4, Thunderbird 3.3 and SeaMonkey 2.1. You can test the functionality by visiting this test page.
Twitter recently announced that they have added CSP to their mobile version, accessible under mobile.twitter.com. Users who use one of the aforementioned browsers are protected from XSS attacks on that website.
They managed to resolve those problems by mandating SSL for all Firefox 4 users who access the mobile Twitter web site.
A test with Firebug shows that the mobile version of Twitter is indeed using the policy on site. Please note that Twitter makes a user agent check and is very restrictive about it. Firefox 5 or Firefox 6 users won't get the policy currently.
The using CSP guide on Mozilla offers additional examples on how to set the right headers.
Browsers that do not support CSP ignore the header.
CSP offers two additional forms of protection. It mitigates clickjacking attacks. Clickjacking refers to directing a user's mouse click to a target on another site. This is often done by using transparent frames on the original website.
Content Security Policy can also be used to mitigate packet sniffing attacks, as it allows the webmaster to specific protocols that are allowed to be used. It is for instance possible to force HTTPS only connections.
The CSP Policy directives are accessible here on Mozilla.
Next to the already mentioned options are parameters to specific hosts where images, media files, objects or fonts may be loaded from.
The biggest problem currently is that CSP is only supported by Firefox 4. Not by Internet Explorer, Chrome, Opera or Safari. But even if it would be supported by all browsers, it would still depend on webmasters to implement the headers on their websites.
A push in the right direction could come from Twitter, if the decision is made to role out the CSP header to the main Twitter web site as well.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.