Mar 1, 2011

Content Security Policy (CSP) implemented on LastPass.com -- the beginning of the end of bookmarklets?

If you're using Firefox 4, you now gain the additional protection afforded by CSP (Content Security Policy) on LastPass.com.

This is a big step forward in terms of protection from any Cross Site Scripting attack - and potentially other browser based attacks - ensuring that even if one occurred, each page could control exactly what pages it can talk to so that there is no possibility of data leakage resulting from the attack.

This has been eye-opening as we've implemented it. It has a reporting infrastructure built in so you can see exactly what requests are being blocked. We've already seen over a dozen unique bookmarklets caught in our CSP blocking net.

Does this mean the end of bookmarklets? Any site with sensitive data will ultimately implement CSP, making even our own bookmarlet for logging in obsolete. Now is the time to start requesting browsers support overrides to the CSP to keep your favorite bookmarklets working everywhere.

Today, CSP is only deployed on Firefox 4, but the LastPass extension should support it on a number of other browsers in our next release.

We haven't fully locked down our CSP yet; today we're allowing every page from LastPass.com to talk to LastPass.com, but soon we'll lock this down further so that https://LastPass.com/?securitychallenge=1 can ONLY talk to https://LastPass.com/?securitychallenge=1, which will be another big step forward.