When you install FireFox 4, you instantly receive a new security mechanism called Content Security Policy. This mechanism works behind the scenes to prevent some of the more severe web-based attacks against users and websites…
While using Firefox 4 to access our latest project (custom solution based upon the SharePoint 2010 platform in https context), we noticed that we couldn’t use the Out-of-the-box and often used Date Time Control
The issue occurs when trying to switch to the next or previous month in the dialog that occurs after clicking on the calendar icon. In detail, the HideUnhide(‘DatePickerDiv’,’DatePickerDivP1′,’20110501′); method wasn’t executing as expected.
By using the fire bug plug-in I was able to detect this warning in the console panel after clicking on the next month icon.
the SharePoint DateTime control makes use of an underlying Iframe to display the popup and I think that this might trigger the security guard in FF4 to prevent clickjacking
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
CSP is designed to be fully backward compatible; browsers that don’t support it still work with servers that implement it, and vice-versa. Browsers that don’t support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn’t offer the CSP header, browsers likewise use the standard same-origin policy.
A secondary goal of CSP is to mitigate clickjacking. Clickjacking happens when a malicious site directs a victim’s mouse click to an unintended target in another site. This is typically done by framing the target site’s content in a transparent element.
CSP lets a site specify which sites may embed resources, thereby helping to prevent this sort of attack.
Note: For security reasons, you can’t use the <meta> element to configure the X-Content-Security-Policy header.
The policy can be delivered from the server to the client via an HTTP response header or an HTML meta element. Both mechanisms indicates that a resource must have the set of restrictions specified in the policy applied to it by the user-agent while rendering the content.