Content Security Policy

W3C today released a draft specification for a method to detect and block XSS-type attacks:

The purpose of this specification is to provide a method for web applications to broadly address a large class of vulnerabilities known as content injection which is the primary focus of Content Security Policy. Other threats, such as cross-site request forgery, are not a focus of this specification.

Content Security Policy is a declarative policy framework that enables web authors and server administrators to specify the permitted sources of content in their web applications and to restrict the capabilities of that content. Content Security Policy mitigates and detects content injection attacks such as cross-site scripting (XSS).

Content Security Policy is not intended to be a fool-proof security system, but it is intended to provide an effective layer of security that will dovetail with any site’s existing web application security program.

Content Security Policy is an opt-in mechanism which requires that servers explicitly declare a security policy in order to receive any of the protection described in this document. Content Security Policies are applied by the user-agent on a per resource basis, so servers must emit a security policy with each resource that the server wants protected.

via Content Security Policy.