Site Security Policy proposal
Brandon Sterne from Mozilla recently published interesting proposal which could hopefully make web a bit safer place for regular Joe. Proposed Site Security Policy framework would allow sites to describe how content in their pages should behave. For instance you could filter valid sources of JavaScript on the page, request targets (preventing page content from making outbound communication to other sites) or valid request sources. Even log security alerts. Current proof-of-concept Firefox extension only handles policy defined trough HTTP headers. That could potentially bring more traffic on high load sites, than for example crossdomain.xml which Flash loads from so call “well known location” (like favicon.ico or robots.txt) and which can be cached.
This is by no means ultimate protection, or server protection of any kind. It still can be avoided by malicious users but it could potentially bring an thin layer (but still a layer) of user protection against Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks.
Idea is everything but new. Five years ago, Flash Player 7 introduced policy files used for cross-domain data loading access control (crossdomain.xml). Current Flash Player 9 went even further in new functionality introducing stuff like meta-policies and so on.