Latest revision as of 08:28, 31 August 2010

Overview

This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.

Syntax

An HTTP server can deliver a policy to the browser by including a header named X-Allowed-Scripts. The X-Allowed-Scripts header has the following syntax:

allowed-scripts         = "x-allowed-scripts" ":" OWS origin-list OWS
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "/" / "*" / origin
origin                  = <as defined by draft-abarth-origin>

The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.

Semantics

If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:

Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.
Prevent the current page from generating requests for data URLs.
Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.

A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response.

The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:

"/" denotes the set of URLs whose ASCII serialization of their origin matches the ASCII serialization of the current web page's origin.
"none" denotes the empty set of URLs.
"*" denotes the set of all URLs.

An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin.

A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.

@@ Line 8: / Line 8: @@
 <pre>allowed-scripts         = "x-allowed-scripts" ":" OWS origin-list OWS
 origin-list             = origin-descriptor [ 1*SP origin-list]
-origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
+origin-descriptor       = "none" / "/" / "*" / origin
-host-descriptor         = qualified-host-name / "*" ["." host-name ]
+origin                  = &lt;as defined by draft-abarth-origin&gt;
-qualified-host-name     = dns-label "." host-name
-host-name               = dns-label ["." host-name]
 </pre>
 The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.
@@ Line 17: / Line 15: @@
 = Semantics  =
+If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:
+*Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.
-If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:
-*Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.
 *Prevent the current page from generating requests for data URLs.
-*Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.
+*Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.<br>
 A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response.
-The origin list of an X-Allowed-Scripts header field&nbsp;is the union of all URLs denoted by the listed origin-descriptors. &nbsp;The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:
+The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:
-*"self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page.
+*"/" denotes the set of URLs whose ASCII serialization of their origin matches the ASCII serialization of the&nbsp;current web page's origin.
 *"none" denotes the empty set of URLs.
 *"*" denotes the set of all URLs.
-Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following:
+An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin.
-<pre>example.com
-*.example.org
-https://example.net
-http://*.foo.example.com</pre>
-If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page. &nbsp;If the descriptor contains a *, then the star matches zero or more subdomains. &nbsp;For example, *.example.org matches example.org, foo.example.org and bar.foo.example.org. &nbsp;The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor. &nbsp;Notice that in all cases the origin-list ignores port numbers for simplicity.
 A resource load is said to ''respect an origin-list'' if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.

Security/CSP/AllowedScripts: Difference between revisions

Latest revision as of 08:28, 31 August 2010

Overview

Syntax

Semantics

Navigation menu

Security/CSP/AllowedScripts: Difference between revisions

Latest revision as of 08:28, 31 August 2010

Overview

Syntax

Semantics

Navigation menu

Search