This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.
An HTTP server can deliver a policy to the browser by including a header named X-Allowed-Scripts. The X-Allowed-Scripts header has the following syntax:
allowed-scripts = "x-allowed-scripts" ":" OWS origin-list OWS origin-list = origin-descriptor [ 1*SP origin-list] origin-descriptor = "none" / "/" / "*" / origin origin = <as defined by draft-abarth-origin>
The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.
If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:
- Prevent the current page from generating requests for data URLs.
- Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.
A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response.
The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:
- "/" denotes the set of URLs whose ASCII serialization of their origin matches the ASCII serialization of the current web page's origin.
- "none" denotes the empty set of URLs.
- "*" denotes the set of all URLs.
An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin.
A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.