Calls: Send in your ideas. Deadline April 1, 2024

Last update: 2008-11-09

Grant
End: 2009-01

NoScriptABE

improve the ABE (Application Boundaries Enforcer) for NoScript

NoScript is a popular (over two millions active users) add-on extending the Firefox open source web browser and other products based on the Mozilla Gecko engine. NoScript increases web client security by applying a Default Deny policy to JavaScript, Java, Flash, and other active content. It provides users with an one-click interface to easily whitelist sites they trust for active content execution.

The Application Boundaries Enforcer (ABE) module will attempt to harden the web application oriented protections already provided by NoScript with a firewall-like component running inside the browser.

This project is specifically focused on developing a new web browser component called ABE, aimed to mitigate or defeat Cross Site Request Forgery (CSRF) attacks against sensitive web applications. This component will be built on the existing request interception, tracing and blocking framework of NoScript, and it will be integrated in NoScript's broader web security infrastructure, together with whitelist-based scripting, active content execution policies, anti-XSS filters, ClearClick anti-ClickJacking protection and HTTPS/Secure Cookies enhancements. After a working ABE implementation as a NoScript component gets completed, a refactoring and repackaging activity to deploy it as a separate “ABE Firefox Add-On” will be done.