Security/CSP/XSSModule: Difference between revisions
No edit summary |
No edit summary |
||
| Line 36: | Line 36: | ||
The semantics of these directives are described in the following section. | The semantics of these directives are described in the following section. | ||
= Semantics = | = Semantics = | ||
This section describes the semantics of the directives introduces in the XSSModule. Other modules can re-use the syntax defined in this module provided they do not alter the semantics. | |||
== origin-list == | |||
dfdf | |||
== block-xss == | |||
dfdf | |||
== block-eval == | |||
dfdf | |||
== script-src == | |||
dfdfd | |||
= Examples = | = Examples = | ||
dddd | dddd | ||
Revision as of 23:23, 17 October 2009
Document Status
This document is a "straw-man" proposal for breaking Content Security Policies into separate modules. In particular, this module contains the cross-site script (XSS) mitigations.
Threat Model
The XSSModule seeks to help web developers reduce the severity of cross-site scripting vulnerabilities in their web sites. In particular, the XSSModule is concerned with defending against an attacker with the following abilities:
- The attacker can inject a sequence of bytes into a target web page.
- The attacker can cause the user to visit the target web page.
- The attacker owns and operates a malicious web site (e.g., attacker.com).
We further assume the web developer wishes to prevent the attacker from achieving the following goals:
- The attacker must not learn the contents of the target web site's cookies.
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.
Syntax
An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy. The general X-Content-Security-Policy header as the following syntax:
content-security-policy = "x-content-security-policy" ":" OWS csp-rule-list OWS csp-rule-list = csp-rule [";" csp-rule-list] csp-rule = future-rule / known-rule future-rule = (anything but ";") known-rule = *SP directive [ 1*SP origin-list ] *SP directive = (see below) origin-list = origin-descriptor [ 1*SP origin-list] origin-descriptor = "none" / "self" / "*" / [scheme "://"] host-descriptor host-descriptor = qualified-host-name / * ["." qualified-host-name ] qualified-host-name = dns-label "." host-name host-name = dns-label ["." host-name]
The XSSModule introduces the following directives:
directive = block-xss / block-eval / script-src
The semantics of these directives are described in the following section.
Semantics
This section describes the semantics of the directives introduces in the XSSModule. Other modules can re-use the syntax defined in this module provided they do not alter the semantics.
origin-list
dfdf
block-xss
dfdf
block-eval
dfdf
script-src
dfdfd
Examples
dddd