This document describes an alternative design for content security policies that is based on a white list and focuses on protecting from Type I and Type II XSS.

An HTTP server can deliver a policy to the browser by including a header named X-Allowed-Scripts.  The X-Allowed-Scripts header has the following syntax:

allowed-scripts         = "x-allowed-scripts" ":" OWS origin-list OWS
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / "*" ["." host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers.

If the X-Allowed-Scripts header is present, the user agent MUST take the following steps:

• Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.
• Prevent the current page from generating requests for data URLs.
• Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list.
  

A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response.

The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors.  The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:

• "self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page.
• "none" denotes the empty set of URLs.
• "*" denotes the set of all URLs.

Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following:

example.com
*.example.org
https://example.net
http://*.foo.example.com

If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page.  If the descriptor contains a *, then the star matches zero or more subdomains.  For example, *.example.org matches example.org, foo.example.org and bar.foo.example.org.  The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor.  Notice that in all cases the origin-list ignores port numbers for simplicity.

A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.