Team for Research in
Ubiquitous Secure Technology

Towards Client-side HTML Security Policies
Joel Weinberger, Adam Barth, Dawn Song

Citation
Joel Weinberger, Adam Barth, Dawn Song. "Towards Client-side HTML Security Policies". Proceedings of the 6th USENIX conference on Hot topics in security (HotSec11), Usenix, 2011.

Abstract
With the proliferation of content rich web applications, content injection has become an increasing problem. Cross site scripting is the most prominent examples of this. Many systems have been designed to mitigate content injection and cross site scripting. Notable examples are BEEP, BLUEPRINT, and Content Security Policy, which can be grouped as HTML security policies. We evaluate these systems, including the first empirical evaluation of Content Security Policy on real applications. We propose that HTML security policies should be the defense of choice in web applications going forward. We argue, however, that current systems are insufficient for the needs of web applications, and research needs to be done to determine the set of properties an HTML security policy system should have. We propose several ideas for research going forward in this area.

Electronic downloads

Citation formats  
  • HTML
    Joel Weinberger, Adam Barth, Dawn Song. <a
    href="http://www.truststc.org/pubs/855.html"
    >Towards Client-side HTML Security Policies</a>,
    Proceedings of the 6th USENIX conference on Hot topics in
    security (HotSec11), Usenix, 2011.
  • Plain text
    Joel Weinberger, Adam Barth, Dawn Song. "Towards
    Client-side HTML Security Policies". Proceedings of the
    6th USENIX conference on Hot topics in security (HotSec11),
    Usenix, 2011.
  • BibTeX
    @inproceedings{WeinbergerBarthSong11_TowardsClientsideHTMLSecurityPolicies,
        author = {Joel Weinberger and Adam Barth and Dawn Song},
        title = {Towards Client-side HTML Security Policies},
        booktitle = {Proceedings of the 6th USENIX conference on Hot
                  topics in security (HotSec11)},
        organization = {Usenix},
        year = {2011},
        abstract = {With the proliferation of content rich web
                  applications, content injection has become an
                  increasing problem. Cross site scripting is the
                  most prominent examples of this. Many systems have
                  been designed to mitigate content injection and
                  cross site scripting. Notable examples are BEEP,
                  BLUEPRINT, and Content Security Policy, which can
                  be grouped as HTML security policies. We evaluate
                  these systems, including the first empirical
                  evaluation of Content Security Policy on real
                  applications. We propose that HTML security
                  policies should be the defense of choice in web
                  applications going forward. We argue, however,
                  that current systems are insufficient for the
                  needs of web applications, and research needs to
                  be done to determine the set of properties an HTML
                  security policy system should have. We propose
                  several ideas for research going forward in this
                  area.},
        URL = {http://www.truststc.org/pubs/855.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.