Script ½ÅÍפÊs

¸«²ò¡¿ËÝÌõ¡¿ÈÇ 0.2 - 2005-04-03

Introduction

This is an idea for the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í-Ì£Êý¤¹¤ë mitigation of Cross-¾ì½ê¡¿°ÌÃÖ Scripting (XSS). It's based on the same ¸¶Â§ as "Content À©¸Âs" - that of the ¾ì½ê¡¿°ÌÃÖ owner ÌÀ¼¨¤¹¤ëing which scripts should be permitted and which not - but takes a ¤ï¤º¤«¤Ë different and complementary approach. This is an updated ¸«²ò¡¿ËÝÌõ¡¿ÈÇ of an ½é¤á¤Î Äó°Æ in a blog ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë.

Idea

An HTTP header, Script-½ÅÍפÊ, defines a ̵ºî°Ù¤Î string or "½ÅÍפÊ", and only script ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ëing that string is µö¤¹d to ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë. As the string will be different for every page Ééô, static ÃíÆþ¤¹¤ëd script would not be Àµ³Î¤Ë labelled and therefore would not be permitted to run. ÌÀÇò¤Ë, if it can't run, it can't ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë the ½ÅÍ×¤Ê and label itself in any way.

The text of the script just has to ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ë the ½ÅÍ×¤Ê - in a comment is ȳ¶â. So the labelling might work as follows:

Content-Type: text/html
Script-½ÅÍפÊ: D3FC219A
...
     
<script type="text/javascript">
  // D3FC219A
  ...
</script>
...

<p onclick="/* D3FC219A */ ..." >
...
</p>

Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë how to label ³°Éô¤Î scripts is still to be decided. It may be that the ½ÅÍ×¤Ê has to be in the text of the ³°Éô¤Î script ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë, or it may be that we would µö¤¹ this:

Content-Type: text/html
Script-½ÅÍפÊ: D3FC219A
...
     
<script src="somescript.js">
// D3FC219A
</script>

This latter approach has the advantage that the ³°Éô¤Î script ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë can be the same for all »ÈÍѼÔs (static), but has the disadvantage that if an ¹¶·â¼Ô can manipulate the "src" ¤»¤¤¤Ë¤¹¤ë, they can point it at their own script.

Discussion

Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë what the ½ÅÍ×¤Ê is made up of, and how often and when it changes is ´°Á´¤Ë up to the ¼Â»Ü. This gives ºÇÂç¸Â freedom to balance °ÂÁ´ and convenience. At one extreme, having a ´°Á´¤Ë static ½ÅÍ×¤Ê doesn't defend against much (except perhaps ¼«Æ°²½¤¹¤ëd attacks against a large number of ¾ì½ê¡¿°ÌÃÖs running the same ¥½¥Õ¥È¥¦¥§¥¢). At the other, having the ½ÅÍ×¤Ê change with every page Ééô would ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë problems if ³°Éô¤Î scripts are ¡ÊÉð´ï¤Ê¤É¤Î¡Ë±£Æ¿¾ì½êd and so have an incorrect ½ÅÍפÊ.

Having the ½ÅÍ×¤Ê »Ï¤á¤ë¡¤·è¤á¤ë on a per-»ÈÍÑ¼Ô basis, ¸ºß Ãߤ¨¤ë¡¿Å¹d in a database or even just ¸ºß their ³«²ñ¡¿³«Äî¡¿²ñ´ü ID, has much to recommend it. This µö¤¹s ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í-Ì£Êý¤¹¤ë ¡ÊÉð´ï¤Ê¤É¤Î¡Ë±£Æ¿¾ì½êing to work much as before, and µö¤¹s another server to take over serving pages to that »ÈÍÑ¼Ô in a Ééô-balancing ¾õ¶·¡¿¾ðÀª.

¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë that Script ½ÅÍפÊs don't have to be used in every part of a ¾ì½ê¡¿°ÌÃÖ. For example, ½ã¿è¤Ë static pages would not need to use them, because there's no ´í¸± of XSS.

Comparison

So how does this approach compare with Content À©¸Âs? The two are complementary. Content À©¸Âs À©¸Â¤¹¤ës by ability - so two Éõº¿¤¹¤ës of code doing Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë the same thing would have the same abilities, and would work or fail in the same way. Script ½ÅÍפÊs µö¤¹s you to distinguish between those two Éõº¿¤¹¤ës, so that one ºîÉÊ and one fails, but does not µö¤¹ you to À©¸Â¤¹¤ë the ability of either Éõº¿¤¹¤ë once it's running.