Document Status

This document is a "straw-man" proposal for breaking Content Security Policies into separate modules.  In particular, this module contains the cross-site script (XSS) mitigations.  

Threat Model

The XSSModule seeks to help web developers reduce the severity of cross-site scripting vulnerabilities in their web sites.  In particular, the XSSModule is concerned with defending against an attacker with the following abilities:

• The attacker can inject a sequence of bytes into a target web page.
• The attacker can cause the user to visit the target web page.
  
• The attacker owns and operates a malicious web site (e.g., attacker.com).

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

• The attacker must not learn the contents of the target web site's cookies.

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.

Syntax

An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy.  The general X-Content-Security-Policy header as the following syntax:

content-security-policy = "x-content-security-policy" ":" OWS csp-rule-list OWS
csp-rule-list           = csp-rule [";" csp-rule-list]
csp-rule                = future-rule / known-rule
future-rule             = (anything but ";")
known-rule              = *SP directive [ 1*SP origin-list ] *SP
directive               = (see below)
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / * ["." qualified-host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

The XSSModule introduces the following directives:

directive               = block-xss / block-eval / script-src

The semantics of these directives are described in the following section.

Semantics

yyy

Examples

dddd