Overview

This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.

Syntax

An HTTP server can deliver a policy to the browser by including a header named X-Allowed-Scripts.  The X-Allowed-Scripts header has the following syntax:

allowed-scripts         = "x-allowed-scripts" ":" OWS origin-list OWS
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / origin
origin         = <as defined by draft-abarth-origin>

The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.

Semantics

If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:

• Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.
• Prevent the current page from generating requests for data URLs.
• Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.
  

A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response.

The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:

• "self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page.
• "none" denotes the empty set of URLs.
• "*" denotes the set of all URLs.

An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin.

A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.