Content 制限s
見解/翻訳/版 0.5 - 2005-04-02
Introduction
The perfect way to 妨げる cross-場所/位置 scripting (XSS) attacks would be for the 使用者 スパイ/執行官 to read the website designer's mind to 決定する which scripts embedded in a page were 合法的 and which were malicious. In the absence of affordable and reliable mind-reading 科学(工学)技術, and in consideration of the mental 疲労,(軍の)雑役 this would undoubtedly induce in web page authors, this paper 現在のs a way for a 場所/位置 designer to explain his 明言する/公表する of mind to the 使用者 スパイ/執行官 by 明示するing 制限s on the 能力s of his content. It is an updated 見解/翻訳/版 of an 初めの 提案 in a blog 地位,任命する.
As a real-world example, a webmail system might serve an HTML email and 明示する (in an HTTP header) that the 使用者 スパイ/執行官 should not 遂行する/発効させる any script in the 団体/死体 of that page. This means that, even if the webmail system's content-filtering 過程 failed, the 使用者 of a 適合するing 使用者 スパイ/執行官 would not be at 危険 from malicious content in the attachment.
This paper is made up of a specification with interspersed commentary, coloured like this. I am 特に looking for feedback on which 制限s are useful, which are 平易な or hard to 器具/実施する in particular browser codebases, and how the 制限s could be made more useful and easier to 器具/実施する. After the first 一連の会議、交渉/完成する of feedback, I hope to turn this 文書 into a 草案 RFC.
If we were redesigning the web from the ground up, this 概念 might be better 明示するd ーに関して/ーの点でs of 能力s rather than 制限s. However, for backward-compatibility 推論する/理由s, as the 現在の default is "十分な 能力s", it makes sense to 器具/実施する it and think about it as 制限s.
Having 制限s also 除去するs any 衝突 with the 願望(する)s of the 使用者, and therefore any need for UI. In a 能力s 状況/情勢, you get into a 状況/情勢 where a page wants a 能力 and the 使用者 may have to be asked whether to 認める it. In a 制限s 状況/情勢, you just 適用する page-defined 制限s on 最高の,を越す of any a 使用者 may 明示する in their preferences. A 制限s model also 許すs 使用者 スパイ/執行官s to 器具/実施する the specification incrementally.
The 最初の/主要な use for this specification is ーするつもりであるd to be the 予防 or mitigation of cross-場所/位置 scripting (XSS) attacks. 場所/位置s would define and serve content 制限s for pages which 含む/封じ込めるd untrusted content which they had filtered. If the filtering failed, the content 制限s may still 妨げる malicious script from 遂行する/発効させるing or doing 損失. Additionally, his specification could also be used to, for example, define a 始める,決める of 制限s on a Greasemonkey script, 潜在的に 許すing the 安全な(r) running of script from untrusted sources within the 使用者's 開会/開廷/会期 with a particular 場所/位置.
公式文書,認める that this specification is designed to be a backstop to server-味方する content filtering, not a 交替/補充 for it. There is 故意に no way for a server to easily 決定する the 存在 of or level of support for this specification in a given 使用者 スパイ/執行官. It's about 保護するing the 使用者 and covering the designer's ass, not about 許すing him to be lazy.
制限s
The に引き続いて are the defined 指名するs and 許すd values for the different 利用できる 制限s. This part of the 文書 is written in an as content-agnostic way as possible, but the exact meaning for HTML or XHTML content is 明示するd as a guide. "all" is the default in all 事例/患者s.
Ideally, each 始める,決める of values could be ordered in a "制限 階層制度", to 許す 使用者-スパイ/執行官s not supporting a particular value to 落ちる 支援する to the next least 制限する one. The 階層制度 is not やむを得ず linear - for example, for cookie, it's 非,不,無 -> (read|令状) -> all. In most 事例/患者s the 階層制度 is obvious, but in some places making it is not so 平易な, and it has been flagged as an 問題/発行する.
script
| Value | Meaning |
|---|---|
| 非,不,無 | No script may 遂行する/発効させる. |
| 内部の | Only script 直接/まっすぐに written in the page is 許すd.
This is useful to 許す vetted script, while 妨げるing
other 独断的な script from 存在 輸入するd from externally. HTML: only embedded <script> 許すd; no <script src="[url]">. |
| 外部の | Only scripts 外部の to the page are 許すd. This is useful to
許す some script, while still mitigating against e.g. 注射
into event handlers or javascript: URLs. HTML: <script src="[url]"> only. |
| header | Only script defined in the 文書 header
is 許すd. For 文書 types which don't have such a header,
this is 同等(の) to "all". HTML: script in the <長,率いる> element only. ISSUE: this is hard to fit into a 制限 階層制度, as it is not a subset or superset of either 内部の or 外部の. |
| all | No 制限s. |
Ideally, for "外部の" and "長,率いる", the script could dynamically 追加する event handlers to content where script was forbidden, and they would still work.
cookie
| Value | Meaning |
|---|---|
| 非,不,無 | No 接近 to cookies from script. |
| 令状 | 令状 接近 only. |
| read | Read 接近 only. |
| all | No 制限s. |
HTML: 支配(する)/統制するs 接近 to 文書.cookie. Many 場所/位置s do all their cookie stuff server-味方する, so have no need for JS 接近 to cookies. The value "非,不,無" has 概略で the same 影響 as the "httpOnly" cookie header 拡張, although this is more 罰金-穀物d because you can 許す 接近 to cookies from script on some pages and not on others.
create
| Value | Meaning |
|---|---|
| 非,不,無 | No ability to create new nodes. This 許すs simple
changes but not a 完全にする page 変形. HTML: no 接近 to any method whose 指名する starts "create" on the 文書 interface. No 文書.令状() or 令状 接近 to innerHTML. |
| noblock | No 封鎖する level elements; inline only. create() methods only, because we can vet those. Is this a generic and useful way to divide elements? |
| nosub | No 創造 of embedded subdocument コンテナs. HTML: No 創造 of <でっちあげる,人を罪に陥れる>, <iframe> or <反対する>. create() methods only, because we can vet those. |
| all | No 制限s. |
request
| Value | Meaning |
|---|---|
| 非,不,無 | No requesting of URLs by script.
The 網状組織 is 効果的に 無能にするd for script in this page until
the 使用者 manually clicks an <a> link or 服従させる/提出するs a form. HTML: This 含むs forms, XMLHttpRequest, setting src and href せいにするs, meta refresh, window.open, 文書.場所 etc. The idea is to 妨げる (警察などへの)密告,告訴(状) 漏れるs by stopping all communication. |
| nopost | GET but not POST. This 含むs manually-submitted POSTs, 含むing the way the 使用者 leaves the page. The idea is that database-changing 操作/手術s can only use POST, and we can 妨げる the script taking those 活動/戦闘s on に代わって of the 使用者. ISSUE: Is 含むing manually-submitted POSTS moving outside 円形競技場 of scripting? The problem we are trying to mitigate is is 使用者 存在 納得させるd to 圧力(をかける) Enter and submitting the 切り開く/タクシー/不正アクセスd-up form for the 攻撃者. |
| all | No 制限s. |
でっちあげる,人を罪に陥れるs
| Value | Meaning |
|---|---|
| 非,不,無 | No でっちあげる,人を罪に陥れる 階層制度 traversal 許すd. |
| children | The children are accessible, but not the parent.
This 許すs 場所/位置s to sandbox same-domain content inside an <iframe>. HTML: the でっちあげる,人を罪に陥れるs array is accessible, but not parent or 最高の,を越す. |
| parent | the parent is accessible, but not the children. HTML: the opposite of the above. |
| all | No 制限s. |
The same-origin 政策 still 適用するs, of course.
forms
| Value | Meaning |
|---|---|
| 非,不,無 | No read or 令状 接近 to any せいにする of form 支配(する)/統制するs. |
| read | Read 接近 only. |
| 令状 | 令状 接近 only. |
| nopassword | No 接近 to any せいにする of <input type="password">. ISSUE: how does this fit in the 制限 階層制度? Could we 連合させる it with read - i.e. never 許す reading of password fields if there's any sort of 制限? |
| all | No 制限s |
domain
The value for this 指名する is a domain to which all requests 始めるd by the page (embedded or script) are 制限するd. This 妨げるs malicious scripts phoning home or 輸入するing unwanted content like applets. ISSUE: In 明示するing "all requests", this moves us out of the 円形競技場 of 制限するing script 活動/戦闘s - but it would probably be much harder to 器具/実施する if we don't. The domain given doesn't have to be a suffix of the 現在の domain. 多重の values of domain from different sources make it possible to 接近 any of the 指名するd domains or their subdomains. Is that 権利? Does it open up 危険s? For IDN domains, the punycode form is 明示するd.
This does not 影響する/感情 the usual same-origin checks. If domain is given a value in the 制限s, then 令状ing to 文書.domain from script is not permitted. This 機械装置 supercedes that one.
適用するing to Content
The 制限s are 適用するd to content served over the web by serving it with an HTTP header, as follows:
Content-制限s: <政策-string>
or, in an XHTML or HTML page:
<meta http-equiv="Content-制限s"
content="<政策-string>">
Do we need to support meta? Is it too risky, or does it 広げる 接近? Does the way the <meta> tag is defined in HTML 要求する that all HTTP headers can be 反映するd in it?
The syntax is だいたい (陳謝s for my bad BNF) of the に引き続いて form:
<政策-string> ::= <見解/翻訳/版-number>;<pair-string> <見解/翻訳/版-number> ::= (digit)+ <pair-string> ::= (<指名する>=<value>,)+ <指名する> ::= [A-Za-z0-9-.]+ <value> ::= [A-Za-z0-9-.]+
The <指名する>s and <value>s are those defined in the earlier part of this specification. E.g.:
Content-制限s: 1;script=外部の,cookies=非,不,無,でっちあげる,人を罪に陥れるs=非,不,無,forms=read
Do we need a way of 縮めるing the string, using e.g. cookies,でっちあげる,人を罪に陥れるs=非,不,無?
There may be 多重の headers or meta tags. The 実施 should prefer HTTP over meta, because an 攻撃者 may have more 支配(する)/統制する over the 存在 or contents of a meta 見解/翻訳/版. The 実施 should then use the 政策 string with the highest 見解/翻訳/版 number it understands. Later 見解/翻訳/版s are not 保証(人)d to 持続する 両立できる syntax past the 半分-結腸. If there are 多重の such strings, the 実施 should use the first one it 遭遇(する)s.
New 見解/翻訳/版s of this 政策 鮮明度/定義 may be given a distinguishing 見解/翻訳/版-number; this is 見解/翻訳/版 1. 両立できる sub-見解/翻訳/版ing is 扱うd by the fact that unrecognised 指名するs are ignored, along with their values; unrecognised values are 扱う/治療するd as "all". Recognised but unsupported values should be 扱う/治療するd as the next least 制限する supported value in the ordering defined above, which may be "all".
If the chosen string has a parsing error, the next one in 優先 order should be used.
What happens if, say, a page is served with one Content-制限s header and it 含むs a JS とじ込み/提出する with another one? Do you 連合させる the two and take the toughest 制限 using the 階層制度? Does that 適用する to all the script or just that in the 含むd とじ込み/提出する?