Cross-Site Scripting (XSS) attacks have been a scourge on the Web, including well-known and popular websites. Mozilla has the last year on a technology for these attacks to stop: Content Security Policy
Cross-site scripting attacks are possible because all browsers JavaScript code and other content on a webpage in the same security context execution. The Content Security Policy (CSP) Mozilla provides a mechanism for sites to tell the browser what content is legitimate. Any script that is not accepted by the website, is blocked by the browser.
Mozilla's proposal requires that all JavaScript on a web page to external files to be moved, CSP can not be distinguished from legitimate scripts injected or modified JavaScript code in the page. Inline scripts, Javascript urls and HTML attributes that will handle events CSP therefore ignored. Only JavaScript code via a tag referring to a url on a host that has been approved by the site will be carried out. A protected website can also display a warning if a CSP XSS attack is blocked. A detailed description of the possibilities can be found in the CSP specification.
While websites should therefore be adapted to support CSP, it may happen in stages. The Mozilla Security Team has many sites and proved to be no site met that could not be adjusted. There will be documentation of best practices for a site to migrate to CSP. A reassurance that the policy is also fully backwards compatible: it has no effect on websites or web browsers that do not support the specification.