Content Security Policy 1.0 makes its debut in Firefox

Martin Brinkmann
Jun 12, 2013
Updated • Jun 12, 2013

Content Security Policy is a technology that browser's need to support for websites to make use of it. Up until now  CSP 1.0 was only supported by Google Chrome and partially by Internet Explorer 10.

While Mozilla did add an implementation of CSP in Firefox 4.0 in 2011, it was not based on a W3C specification. The reason for that was that there was none at the time. This happened six months later when a working draft was published.

When the Content Security Policy 1.0 reached candidate stage over at the W3C, Google implemented it in Chrome 25. Microsoft did add the CSP's "sandbox" directive but nothing else in Internet Explorer 10.

Mozilla announced yesterday that it has integrated an implementation of CSP 1.0 in Firefox. To be precise, the feature landed in Firefox 23 which is currently home to the Aurora channel of the browser.

So what does CSP do? As I said earlier, it is something that websites need to implement to make use of. It enables the webmaster to specify which domains are allowed to run scripts and styles on the page the user is on.

The idea is to prevent cross site scripting attacks and other attacks relying on running code on the web page from working, by blocking unauthorized scripts from running on it.

So, what you can do with it is to whitelist sites that are allowed to run inline scripts, inline styles and include contents within a page. Any other site that tries to run code on the page will have the code execution blocked.

Developers who have made use of Firefox's initial implementation of the feature should check out Mozilla's security blog as it offers information about the changes in the new implementation and what webmasters need to do to guarantee that their website's implementation will continue to work after the transition period. Here they also find information about differences between Firefox's implementation and the spec.

Additional information can also be looked up on Mozilla's Developer Network or on Github.

It should not be too problematic though if the sites are already using the correct headers because of Chrome and CSP 1.0.

It is still necessary for websites to implement CSP correctly.

You find a couple of preferences in about:config related to CSP. It is not recommended to turn it off by setting the value of security.csp.enable to false but you can do that temporarily if you encounter errors when using extensions or bookmarklets for example.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Swapnil said on June 13, 2013 at 12:59 am

    “It is still necessary for websites to implement CSP correctly.”
    And I don’t see it happening on the majority of websites. With webmasters not even caring about dropping CSS vendor prefixes (and this affects their website’s usability), how to expect them implementing something like this (when this does not really affect how the browsers handle the website)?

    Also, Martin, what is the Ghacks website survey? I accepted it, and it asked for the age. I am under 15 and the survey ended just after one question.

    1. Martin Brinkmann said on June 13, 2013 at 2:30 am

      It is from Federated Media to find out more about the site’s demographics so that better ads are displayed.

      1. Swapnil said on June 13, 2013 at 3:11 am

        I am amazed that one question is enough for that.

      2. Martin Brinkmann said on June 13, 2013 at 5:23 am

        It is likely because of your age, but I do not really know for certain.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.