Hello. I specialize in graphic design and development for web applications.
XSS (Cross Site Scripting) is one of the main problems with Javascript. I was just reading an article on Javascript security, when an idea came to me. We could solve all these problems by allowing servers to send an Allow-content header (or something like that).
This header could contain either “any”, “no-dynamic”, or a domain name. The first would allow scripts from any site to be executed. The second option would tell the browsers not to execute any Javascript or other dynamic content on the page at all. The final would allow the execution of dynamic content only from the specified domain (in the same format as is used in cookies, .domainname.com being a wild card).
Think of how many XSS scripting attacks this could prevent! Headers can only be modified with Javascript or an “http-equiv” meta tag, neither of which could be inserted into a webpage without the use of Javascript in the traditional XSS way. I suppose many people who don’t know or don’t care about XSS attacks wouldn’t bother with setting the header, however for the many who do care but don’t see a vulnerability, this would be helpful.
What are your thoughts on this? Do you see any loopholes? Obviously, there’s no protection against mirroring of your website for malicious purposes, and this would in no way lift the requirement to sanitize input because of compatibility issues. Still, I think it’s a pretty good start.
One Response:
Comment by pozmu
Good thinking… it would be nice.
Of course it wouldn’t work with older browsers, but that’s great idea for the future.
Say your words!