MozillaWiki

Security/CSP/XSSModule

< Security‎ | CSP
Revision as of 23:26, 17 October 2009 by Abarth (talk | contribs)

Overview

This document is a "straw-man" proposal for breaking Content Security Policies into separate modules.  In particular, this document defines the XSSModule, which contains the cross-site script (XSS) mitigations.  The XSSModule lets web developers mitigate XSS attacks by disabling unneeded functionality used by attackers to mount XSS attacks.

Threat Model

The XSSModule seeks to help web developers reduce the severity of cross-site scripting vulnerabilities in their web sites.  In particular, the XSSModule is concerned with defending against an attacker with the following abilities:

  • The attacker can inject a sequence of bytes into a target web page.
  • The attacker can cause the user to visit the target web page.
  • The attacker owns and operates a malicious web site (e.g., attacker.com).

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

  • The attacker must not learn the contents of the target web site's cookies.

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.

Syntax

An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy.  The general X-Content-Security-Policy header as the following syntax: 

content-security-policy = "x-content-security-policy" ":" OWS csp-rule-list OWS
csp-rule-list           = csp-rule [";" csp-rule-list]
csp-rule                = future-rule / known-rule
future-rule             = (anything but ";")
known-rule              = *SP directive [ 1*SP origin-list ] *SP
directive               = (see below)
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / * ["." qualified-host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

The XSSModule introduces the following directives: 

directive               = block-xss / block-eval / script-src

The semantics of these directives are described in the following section.

Semantics

This section describes the semantics of the directives introduces in the XSSModule.  Other modules can re-use the syntax defined in this module provided they do not alter the semantics.

origin-list

dfdf

block-xss

dfdf

block-eval

dfdf

script-src

dfdfd

Examples

dddd

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/CSP/XSSModule&oldid=176338"