I'd like to present to the group for comment my "Content Restrictions" proposal. http://www.gerv.net/security/content-restrictions/
In a nutshell, it's a new HTTP header (or perhaps also an http-equiv meta tag) which allows a web page to ask the user agent to place restrictions of various sorts on script and other content within the page. It's designed as a way for the UA to "read the web-designer's mind", and so if (for example) the web designer says that the page does not use any script at all, the UA can ignore script in the page as obviously the result of a XSS attack. In this way, it acts as a "backstop" which might catch various sorts of content injection attack in the event of a failure in secure coding practices. Because it's phrased as a set of restrictions, it is backwardly-compatible with user agents which don't support it or only support parts of it, whereas a positive capabilities-based system would not be. I know this group is more concerned with extensions to HTML markup, but I was advised I might get good feedback on my proposal here. You may also have discussed similar or different solutions to the problem; I don't know, as (as my previous message notes) the list archives seem to be currently unavailable. I do think a header-based rather than a purely markup-based solution to this particular problem would be more secure, but I'm open to counter-arguments :-) I intend (with the usual caveats about good intentions) to try and to a test implementation in the next few months to see if it could work in practice. Gerv
