CsFire is an add-on for Mozilla Firefox which protects you against malicious cross-domain requests. Such cross-domain requests can lead to Cross-Site Request Forgery (CSRF) attacks or can be used to track you around the internet. This site contains all the CsFire information, ranging from configuration information to background information. We also provide several screenshots, as well as a few test cases, showing that CsFire is able to strip cookies or HTTP authentication credentials.

CsFire autonomously protects you against dangerous or malicious cross-domain requests, such as Cross-Site Request Forgery (CSRF). CSRF is very prevalent and dangerous, as stated by the OWASP top 10, as well as the CWE/SANS top 25 programming errors.

If you are looking to download the CsFire add-on, you can click on the green button below. It will take you to the Mozilla Add-On site, which is the only official download location of CsFire.

Using CsFire
After you have installed CsFire, a new icon will be added to your status bar. This green shield indicates that CsFire is actively protection you. By clicking on this icon, you can choose to disable CsFire's protection mechanism. You can also gain access to the preference dialogs, which allows the detailed configuration of CsFire.

The CsFire policies are the core of the protection mechanism. A built-in client policy is the secure-by-default policy, which is complemented by remote and local policies. Remote policies are retrieved from a server and contain policy rules allowing specific cross-domain functionality (mainly authentication to services). Using local policies, a user is able to define very specific, custom policies which make CsFire adaptable to specific scenarios.

Information on how to use these options in CsFire can be found using the table of contents on the left. More background information on the decision mechanism and different policies can be found on this page.
Compatibility Note.

During the development of CsFire, a small bug in Firefox led to the inability to strip HTTP authentication headers in a reliable way. This bug will be fixed in an upcoming release of Firefox (4), which is why this particular bit of CsFire is disabled until then. Once your browser supports the stripping of HTTP authentication headers, CsFire will enable this functionality automatically.

Requirements:
* Firefox

The license of this software is Freeware, you can free download and free use this browser plug-ins software.