`
rmfish
  • 浏览: 865 次
  • 性别: Icon_minigender_1
  • 来自: 天津
最近访客 更多访客>>
社区版块
存档分类
最新评论

内容限制(Content Restrictions )

    博客分类:
  • XSS
阅读更多
原文地址: http://www.gerv.net/security/content-restrictions/

Introduction

Cross-site scripting (XSS) attacks would always fail if the browser could know for absolute certain which scripts were legitimate and which were malicious. In the absence of affordable and reliable mind-reading technology, and in consideration of the mental fatigue this would undoubtedly induce in web page authors, this specification allows a site designer to explain his state of mind to the user agent by specifying restrictions on the capabilities of his content.

As a real-world example, a webmail system might serve an HTML email and specify that the user agent should not execute any script in the body of that page. This means that, even if the webmail system's content-filtering process failed, the user of a conforming user agent would not be at risk from malicious content in the attachment.

Goal

This mechanism is primarily intended to aid in the prevention or mitigation of cross-site scripting (XSS) attacks. Sites would define and serve Content Restrictions for pages which contained untrusted content which they had filtered. If the filtering failed, the Content Restrictions may still prevent malicious script from executing or doing damage.

Note that this specification is designed to be a backstop to server-side content filtering, not a replacement for it. There is intentionally no defined way for a server to determine the existence of or level of support for this specification in a given user agent. It's about protecting the user and covering the designer's ass, not about allowing him to be lazy.
Restrictions

This specification is intended to be content-agnostic, but the initial implementation will focus on HTML and the exact meaning for HTML or XHTML content is specified as a guide. "all" is the default in all cases.
分享到:
评论

相关推荐

    postfix部署多个Content Filter的方法.docx

    例如,`smtpd_client_restrictions`、`smtpd_helo_restrictions`、`smtpd_sender_restrictions`以及`smtpd_recipient_restrictions`等限制策略应根据实际情况设置,以防止不必要的连接和保护服务器免受恶意攻击。...

    ISMS Auditor_Lead Auditor Training Course

    附加内容(Additional Content) 由于文档的内容被截断,无法获得完整的附加信息,不过在正常的培训材料中,一般会包含大量的案例研究、实例分析、最佳实践以及与ISO 27001相关的术语和定义等内容。这些内容有助于...

    Fundamentals_of_Python_-_First_Programs.pdf.pdf

    “The publisher reserves the right to remove additional content at any time if subsequent rights restrictions require it”,这表明尽管本书是关于Python编程基础的,但其内容可能会受到版权保护的限制,也...

    Office Open XML

    - **模式限制(Schema Restrictions for Core Properties):** 规定了核心属性部分所使用的模式(schema)的一些限制。 #### 缩略图(Thumbnails) **缩略图(Thumbnails)** 用于快速预览文档的内容,这部分详细介绍了...

    Office Open XML Part 2 - Open Packaging Conventions.pdf

    - **11.4 Schema Restrictions for Core Properties** - **定义:** 对核心属性部分的模式限制。 - **作用:** 确保核心属性的信息结构保持一致性和有效性。 #### 缩略图 **12. Thumbnails** - **12.1 ...

    Postfix配置详解

    接下来,我们将详细解析Postfix的配置知识点,基于给定的文件内容。 ### 一、Postfix的基本配置概念 #### 1. 主配置文件 Postfix的主要配置文件是`main.cf`,它包含了所有关于邮件服务器如何运行的核心参数。例如...

    禁用internet选项中的部分功能

    6. **禁用“内容”选项卡**:在`HKEY_CURRENT_USER\Software\Policies\Microsoft\InternetExplorer\ControlPanel`路径下创建名为`ContentTab`的DWORD值,并将其值设为1 (0x1),以禁用“内容”选项卡。 7. **禁用代理...

    注册表收集的一个集合

    除了控制选项卡和设置的可更改性外,《注册表收集的一个集合》还提到了位于`HKEY_CURRENT_USER\Software\Policies\Microsoft\InternetExplorer\Restrictions`下的键值,用于控制Internet Explorer的菜单项: ...

    详解/etc/postfix下 main.cf 配置文件

    `content_filter`配置项用于设置内容过滤器,这里配置为`smtp-amavis`,表明Postfix会通过SMTP与本地的Amavis服务进行通信,进行邮件内容的扫描和过滤。 `mailbox_size_limit`设定了每个邮箱的最大大小,以字节为...

Global site tag (gtag.js) - Google Analytics