A popular service like Gmail inevitably becomes a target for hackers. Over the years, Google has made quite a few security improvements, such as requiring HTTPS connections to prevent others from getting access to your email. Today the company
announced that it has implemented support for
Content Security Policy (CSP) to prevent cross-site scripting attacks and malevolent browser plug-ins from messing with your inbox and (potentially) stealing your data.
Content Security Policy in the way Google
has implemented it is a blacklist/whitelist system for stopping sites from loading unsafe code from third-party sites and preventing cross-site scripting attacks. It uses the HTTP header to instruct the browser to only execute and render code from trusted sites. So if an attacker tries to trick the site into loading any other code, the site will simply throw an error.
