Methods and systems for scripting defense

摘要

Methods and systems for cross-site scripting (XSS) defense are described herein. An embodiment includes, embedding one or more tags in content at a server to identify executable and non-executable regions in the content and transmitting the content with the tags to a client based on a request from the client. Another embodiment includes receiving content embedded with one or more permission tags from a server, processing the content and the permission tags, and granting permission to a browser to execute executable content in the content based on the permission tags. A method embodiment also includes receiving content embedded with one or more verify tags from a server, performing an integrity check using the verify tags and granting permission to a browser to execute executable content in the content based on the integrity check.

主权项

1. A computer implemented method for processing permission tags embedded by a server to enable a client to identify executable or non-executable regions in content received by the client, comprising:
sending a request from the client to the server for the content, wherein the client sends the request to the server through a browser running at the client, wherein the browser is configured to include:
an opt-in setting that, when activated, causes the browser to run all executable content unless expressly forbidden by a permission tag, andan opt-out setting that, when activated, causes the browser to run no executable content except that which is expressly permitted by a permission tag; receiving the content embedded with one or more permission tags from the server, wherein each of the permission tags comprises a permission attribute that indicates whether any script following the tag is to be executed; processing the content and the one or more permission tags; and granting permission to the browser to execute the content based on the one or more permission tags in the content.