Security/CSP/XSSModule

From MozillaWiki
< Security‎ | CSP
Revision as of 23:23, 17 October 2009 by Abarth (talk | contribs)
Jump to navigation Jump to search

Document Status

This document is a "straw-man" proposal for breaking Content Security Policies into separate modules.  In particular, this module contains the cross-site script (XSS) mitigations.  

Threat Model

The XSSModule seeks to help web developers reduce the severity of cross-site scripting vulnerabilities in their web sites.  In particular, the XSSModule is concerned with defending against an attacker with the following abilities:

  • The attacker can inject a sequence of bytes into a target web page.
  • The attacker can cause the user to visit the target web page.
  • The attacker owns and operates a malicious web site (e.g., attacker.com).

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

  • The attacker must not learn the contents of the target web site's cookies.

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.

Syntax

An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy.  The general X-Content-Security-Policy header as the following syntax: 

content-security-policy = "x-content-security-policy" ":" OWS csp-rule-list OWS
csp-rule-list           = csp-rule [";" csp-rule-list]
csp-rule                = future-rule / known-rule
future-rule             = (anything but ";")
known-rule              = *SP directive [ 1*SP origin-list ] *SP
directive               = (see below)
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / * ["." qualified-host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

The XSSModule introduces the following directives: 

directive               = block-xss / block-eval / script-src

The semantics of these directives are described in the following section.

Semantics

This section describes the semantics of the directives introduces in the XSSModule.  Other modules can re-use the syntax defined in this module provided they do not alter the semantics.

origin-list

dfdf

block-xss

dfdf

block-eval

dfdf

script-src

dfdfd

Examples

dddd

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/CSP/XSSModule&oldid=176336"