A popular service like Gmail inevitably becomes a target for hackers. Over the years, Google has made quite a few security improvements like requiring HTTPS connections to prevent others from getting access to your email. Today the company announced that it has implemented support for Content Security Policy (CSP) to prevent cross-site scripting attacks and malevolent browser plugins from messing with your inbox and (potentially) stealing your data.
Content Security Policy in the way Google has implemented it is a blacklist/whitelist system for stopping site from loading unsafe code from third-party sites and preventing cross-site scripting attacks. It uses the HTTP header to instructs the browser to only execute and render code from trusted sites. So if an attacker tries to trick the site into loading any other code, the site will simply throw an error.
Google notes that most popular extensions for Gmail have already been updated and should continue to work as usual. In…
View original post 40 more words