Reining in the web with content security policy

Proceedings of the 19th International Conference on World Wide Web, WWW '10

Volumn , Issue , 2010, Pages 921-929

  Stamm, Sid ^a   Sterne, Brandon ^a   Markham, Gervase ^a  

^a Mozilla Corporation   (United States)

Author keywords

content restrictions; http; security policy; web security

Indexed keywords

ALERT SYSTEMS; CONTENT SECURITY; CROSS-SITE SCRIPTING; FIREFOX; IDEAL SOLUTIONS; MALWARES; MOZILLA; PROTOTYPE IMPLEMENTATIONS; SECURITY MECHANISM; SECURITY POLICY; WEB APPLICATION; WEB APPLICATION VULNERABILITY; WEB SECURITY;

AGRICULTURE; COMPUTER CRIME; SECURITY OF DATA; SECURITY SYSTEMS; SOFTWARE PROTOTYPING; WEB BROWSERS; WORLD WIDE WEB;

HTTP;

EID: 77954584716     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1772690.1772784     Document Type: Conference Paper

References (22)

1. J. Burke. Jsonrequest, part 2 (cross domain policy for all). Blog, March 2006. URL: http://tagneto.blogspot.com/2006/03/jsonrequest-part-2-cross-domain- policy.html.
2. S. Cook. A web developer's guide to cross-site scripting, January 2003. http://www.giac.org/practical/GSEC/Steve-Cook-GSEC.
3. M. Corporation. Bug 493857: Implement content security policy. https://bugzilla.mozilla.org/show bug.cgi?id=csp, May 2009.
4. M. Corporation. Content security policy formal specification. https://wiki.mozilla.org/Security/CSP/Spec, May 2009.
5. D. Danchev. Mass iframe injectable attacks, March 2008. http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html.
6. J. Grossman. Whitehat website security statistics report. Whitepaper, WhiteHat, http://www.whitehatsec.com/home/assets/WPstats0808.pdf, August 2008.
7. M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 8-11, 2009.
8. C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting browsers from dns rebinding attacks. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 421-431, New York, NY, USA, 2007. ACM.
9. C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Stanford safecache. http://www.safecache.com.
10. C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Stanford safehistory. http://www.safehistory.com.
11. C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In WWW '06: Proceedings of the 15th international conference on World Wide Web, pages 737-744, New York, NY, USA, 2006. ACM.
12. M. Jakobsson and S. Stamm. Invasive browser sniffing and countermeasures. In WWW '06: Proceedings of the 15th international conference on World Wide Web, pages 523-532, New York, NY, USA, 2006. ACM.
13. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 601-610, New York, NY, USA, 2007. ACM.
14. N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm), pages 1-10, September 2006.
15. Z. Mao, N. Li, and I. Molloy. Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In Financial Cryptography and Data Security: 13th International Conference, FC 2009, Accra Beach, Barbados, February 23-26, 2009. Revised Selected Papers, pages 238-255, Berlin, Heidelberg, 2009. Springer-Verlag.
16. A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy. Spyproxy: execution-based detection of malicious web content. In SS'07: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pages 1-16, Berkeley, CA, USA, 2007. USENIX Association.
17. T. Oda, G. Wurster, P. V. Oorschot, and A. Somayaji. Soma: Mutual approval for included content in web pages. In CCS'08: ACM Computer and Communications Security, October 2008.
18. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: vulnerability-driven filtering of dynamic html. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 61-74, Berkeley, CA, USA, 2006. USENIX Association.
19. C. Reis, S. D. Gribble, and H. M. Levy. Architectural principles for safe web programs. In Sixth Workshop on Hot Topics in Networks (HotNets) 2007, Atlanta, Georgia, November 2007.
20. J. Ruderman. In Mozilla Documentation, August 2001. URL: http://www.mozilla.org/projects/security/components/same-origin.html.
21. W3C. Access control for cross-site requests. Technical report, February 2008. http://www.w3.org/TR/access-control/.
22. H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in mashupos. In SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, pages 1-16, New York, NY, USA, 2007. ACM.