Security/CSP/AllowedScripts: Difference between revisions

Jump to navigation Jump to search

Security/CSP/AllowedScripts (view source)

Revision as of 01:18, 5 November 2009

681 bytes added ,  5 November 2009
no edit summary
No edit summary
No edit summary
Line 3: Line 3:
This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.
This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.


= Syntax =
= Syntax =


yyy
An HTTP server can deliver a policy to the browser by including a header named X-Allowed-Scripts.  The X-Allowed-Scripts header has the following syntax:
<pre>allowed-scripts        = "x-allowed-scripts" ":" OWS origin-list OWS
origin-list            = origin-descriptor [ 1*SP origin-list]
origin-descriptor      = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor        = qualified-host-name / "*" ["." host-name ]
qualified-host-name    = dns-label "." host-name
host-name              = dns-label ["." host-name]
</pre>
The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.


= Semantics =
= Semantics =


xxx
xxx
Abarth
118

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/180970"

Navigation menu