If you’re using Firefox 4, you now gain the additional protection afforded by CSP (Content Security Policy) on LastPass.com.
This has been eye-opening as we’ve implemented it. It has a reporting infrastructure built in so you can see exactly what requests are being blocked. We’ve already seen over a dozen unique bookmarklets caught in our CSP blocking net.
Does this mean the end of bookmarklets? Any site with sensitive data will ultimately implement CSP, making even our own bookmarlet for logging in obsolete. Now is the time to start requesting browsers support overrides to the CSP to keep your favorite bookmarklets working everywhere.
Today, CSP is only deployed on Firefox 4, but the LastPass extension should support it on a number of other browsers in our next release.
We haven’t fully locked down our CSP yet; today we’re allowing every page from LastPass.com to talk to LastPass.com, but soon we’ll lock this down further so that https://LastPass.com/?securitychallenge=1 can ONLY talk to https://LastPass.com/?securitychallenge=1, which will be another big step forward.