Enhancing Web Page Security with Security Style Sheets
نویسندگان
چکیده
Although the web security community now has a variety of techniques that could help web developers to defend against common attacks such as cross-site scripting and cross-site request forgery, this work is not in a form suitable for general use. What is needed is a web standard that unites these techniques using syntax and semantics that are easy for web developers to learn and straightforward for browser makers to implement. Here we propose such a standard, Security Style Sheets, a browserenforced policy language modelled on Cascading Style Sheets. Security Style Sheets provides an extensible policy framework that allows for policy to be separated from content and to be specified at both coarse and fine levels of granularity. In this paper we present the syntax and semantics of Security Style Sheets, explain its relationship with past web security proposals and CSS, and give examples of how it could be used to protect mainstream websites such as Facebook. Also in the model of CSS and the Acid3 tests, we present a conformance suite for Security Style Sheets.
منابع مشابه
Automated Detecting and Repair of Cross-Site Scripting Vulnerabilities
The best practice to prevent Cross Site Scripting (XSS) attacks is to apply encoders to sanitize untrusted data. To balance security and functionality, encoders should be applied to match the web page context, such as HTML body, JavaScript, and style sheets. A common programming error is the use of a wrong type of encoder to sanitize untrusted data, leaving the application vulnerable. We presen...
متن کاملImage flip CAPTCHA
The massive and automated access to Web resources through robots has made it essential for Web service providers to make some conclusion about whether the "user" is a human or a robot. A Human Interaction Proof (HIP) like Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) offers a way to make such a distinction. CAPTCHA is a reverse Turing test used by Web serv...
متن کاملSpeeding up Web Page Loads with Shandian
Web page loads are slow due to intrinsic inefficiencies in the page load process. Our study shows that the inefficiencies are attributable not only to the contents and structure of the Web pages (e.g., three-fourths of the CSS resources are not used during the initial page load) but also the way that pages are loaded (e.g., 15% of page load times are spent waiting for parsing-blocking resources...
متن کاملLicensing IP embodied in standards
How should a standardization body such as the IEEE deal with patents and copyrights on technology essential to using a standard? A recent controversy within the World Wide Web Consortium (W3C, ) over a Microsoft patent illustrates the kind of problem that can arise when intellectual property rights cloud users' right of access to a standard. As yet, the IEEE has not developed...
متن کاملToday's Style Sheet Standards: The Gread Vision Blinded
, attribute the Web's continuing development crisis to the failure of commercial browsers to fully implement agreed-upon standards. This is an important issue: Nonconfor-mant and incomplete implementations have been a nightmare for Web developers. However, there is a deeper issue— one that has had little public discussion: Will these standards actually provide the envisioned benefits for the We...
متن کامل