Towards Client-side HTML Security Policies

Towards Client-side HTML Security Policies
Joel Weinberger, Adam Barth, Dawn Song

Citation
Joel Weinberger, Adam Barth, Dawn Song. "Towards Client-side HTML Security Policies". Proceedings of the 6th USENIX conference on Hot topics in security (HotSec11), Usenix, 2011.

Abstract
With the proliferation of content rich web applications, content injection has become an increasing problem. Cross site scripting is the most prominent examples of this. Many systems have been designed to mitigate content injection and cross site scripting. Notable examples are BEEP, BLUEPRINT, and Content Security Policy, which can be grouped as HTML security policies. We evaluate these systems, including the first empirical evaluation of Content Security Policy on real applications. We propose that HTML security policies should be the defense of choice in web applications going forward. We argue, however, that current systems are insufficient for the needs of web applications, and research needs to be done to determine the set of properties an HTML security policy system should have. We propose several ideas for research going forward in this area.

Electronic downloads

weinberger-barth-song-1.pdf · application/pdf · 139 kbytes

Citation formats

HTML

Joel Weinberger, Adam Barth, Dawn Song. <a
href="http://www.truststc.org/pubs/855.html"
>Towards Client-side HTML Security Policies</a>,
Proceedings of the 6th USENIX conference on Hot topics in
security (HotSec11), Usenix, 2011.

Plain text

Joel Weinberger, Adam Barth, Dawn Song. "Towards
Client-side HTML Security Policies". Proceedings of the
6th USENIX conference on Hot topics in security (HotSec11),
Usenix, 2011.

BibTeX

@inproceedings{WeinbergerBarthSong11_TowardsClientsideHTMLSecurityPolicies,
    author = {Joel Weinberger and Adam Barth and Dawn Song},
    title = {Towards Client-side HTML Security Policies},
    booktitle = {Proceedings of the 6th USENIX conference on Hot
              topics in security (HotSec11)},
    organization = {Usenix},
    year = {2011},
    abstract = {With the proliferation of content rich web
              applications, content injection has become an
              increasing problem. Cross site scripting is the
              most prominent examples of this. Many systems have
              been designed to mitigate content injection and
              cross site scripting. Notable examples are BEEP,
              BLUEPRINT, and Content Security Policy, which can
              be grouped as HTML security policies. We evaluate
              these systems, including the first empirical
              evaluation of Content Security Policy on real
              applications. We propose that HTML security
              policies should be the defense of choice in web
              applications going forward. We argue, however,
              that current systems are insufficient for the
              needs of web applications, and research needs to
              be done to determine the set of properties an HTML
              security policy system should have. We propose
              several ideas for research going forward in this
              area.},
    URL = {http://www.truststc.org/pubs/855.html}
}

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.