From MozillaWiki
< Security‎ | CSP
Jump to: navigation, search


This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.


An HTTP server can deliver a policy to the browser by including a header named X-Allowed-Scripts.  The X-Allowed-Scripts header has the following syntax:

allowed-scripts         = "x-allowed-scripts" ":" OWS origin-list OWS
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "/" / "*" / origin
origin                  = <as defined by draft-abarth-origin>

The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.


If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:

  • Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.
  • Prevent the current page from generating requests for data URLs.
  • Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.

A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response.

The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:

  • "/" denotes the set of URLs whose ASCII serialization of their origin matches the ASCII serialization of the current web page's origin.
  • "none" denotes the empty set of URLs.
  • "*" denotes the set of all URLs.

An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin.

A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.