Security/CSP/XSSModule

From MozillaWiki
< Security‎ | CSP
Revision as of 22:48, 17 October 2009 by Abarth (talk | contribs)
Jump to navigation Jump to search

Document Status

This document is a "straw-man" proposal for breaking Content Security Policies into separate modules.  In particular, this module contains the cross-site script (XSS) mitigations.  

Threat Model

The XSSModule seeks to help web developers reduce the severity of cross-site scripting vulnerabilities in their web sites.  In particular, the XSSModule is concerned with defending against an attacker with the following abilities:

  • The attacker can inject a sequence of bytes into a target web page.
  • The attacker can cause the user to visit the target web page.
  • The attacker owns and operates a malicious web site (e.g., attacker.com).

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.  We further assume the web developer wishes to prevent the attacker from achieving the following goals:

  • The attacker must not learn the contents of the target web site's cookies.


Syntax

hhh

Semantics

yyy

Examples

dddd

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/CSP/XSSModule&oldid=176332"