| 摘要 |
A reflected cross-site scripting (XSS) mitigation technique that can be implemented wholly on the client by installing a client-side filter that prevents reflected XSS vulnerabilities. XSS filtering performed entirely on the client-side enables web browsers to defend against XSS involving servers which may not have sufficient XSS mitigations in place. The technique accurately identifies XSS attacks using carefully selected heuristics and matching suspect portions of URLs and POST data with reflected page content. The technique used by the filter quickly identifies and passes through traffic which is deemed safe, keeping performance impact from the filter to a minimum. Non-HTML MIME types can be passed through quickly as well as requests which are same-site. For the remaining requests, regular expressions are not run across the full HTTP response unless XSS heuristics are matched in the HTTP request URL or POST data.
|
