Security/CSP/AllowedScripts: Difference between revisions
(→Syntax) |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 8: | Line 8: | ||
<pre>allowed-scripts = "x-allowed-scripts" ":" OWS origin-list OWS | <pre>allowed-scripts = "x-allowed-scripts" ":" OWS origin-list OWS | ||
origin-list = origin-descriptor [ 1*SP origin-list] | origin-list = origin-descriptor [ 1*SP origin-list] | ||
origin-descriptor = "none" / " | origin-descriptor = "none" / "/" / "*" / origin | ||
origin = <as defined by draft-abarth-origin> | origin = <as defined by draft-abarth-origin> | ||
</pre> | </pre> | ||
| Line 25: | Line 25: | ||
The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs: | The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs: | ||
*" | *"/" denotes the set of URLs whose ASCII serialization of their origin matches the ASCII serialization of the current web page's origin. | ||
*"none" denotes the empty set of URLs. | *"none" denotes the empty set of URLs. | ||
*"*" denotes the set of all URLs. | *"*" denotes the set of all URLs. | ||
An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin. | An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin. | ||
A resource load is said to ''respect an origin-list'' if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list. | A resource load is said to ''respect an origin-list'' if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list. | ||
Latest revision as of 08:28, 31 August 2010
Overview
This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.
Syntax
An HTTP server can deliver a policy to the browser by including a header named X-Allowed-Scripts. The X-Allowed-Scripts header has the following syntax:
allowed-scripts = "x-allowed-scripts" ":" OWS origin-list OWS origin-list = origin-descriptor [ 1*SP origin-list] origin-descriptor = "none" / "/" / "*" / origin origin = <as defined by draft-abarth-origin>
The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.
Semantics
If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:
- Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.
- Prevent the current page from generating requests for data URLs.
- Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.
A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response.
The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:
- "/" denotes the set of URLs whose ASCII serialization of their origin matches the ASCII serialization of the current web page's origin.
- "none" denotes the empty set of URLs.
- "*" denotes the set of all URLs.
An origin in the origin list represent the set of URLs that have that string as the ASCII serialization of their origin.
A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.