Rksethi at 23:10, 29 November 2010

2010-11-29T23:10:42Z

Spinkham: /* Requirement Description */ Add benifits of CSP reporting

2010-11-10T23:18:17Z

‎Requirement Description: Add benifits of CSP reporting

Yuk Fai Chan: Created page with '''Secure Web Application Framework Manifesto'' Authors: Tom Aratyn, Sahba Kazerooni, Patrick Szeto, & Rohit Sethi Version 0.08 http://www.securitycompass.com labs@securitycom…'

2010-10-21T00:12:52Z

Created page with '''Secure Web Application Framework Manifesto'' Authors: Tom Aratyn, Sahba Kazerooni, Patrick Szeto, & Rohit Sethi Version 0.08 http://www.securitycompass.com labs@securitycom…'

Show changes

← Older revision		Revision as of 23:10, 29 November 2010
Line 2:		Line 2:

	Authors: Tom Aratyn, Sahba Kazerooni, Patrick Szeto, & Rohit Sethi		Authors: Tom Aratyn, Sahba Kazerooni, Patrick Szeto, & Rohit Sethi
−
−	~~Version 0.08~~
−
−	~~http://www.securitycompass.com~~
−
−	~~labs@securitycompass.com~~

@@ Line 336: / Line 336: @@
 Mozilla proposed [http://people.mozilla.org/~bsterne/content-security-policy/ CSP] to help protect against Cross Site Scripting. Although CSP, at the time of this writing, is not fully implemented in most browsers, a secure web application framework should proactively provide this control for when CSP becomes standard.
-CSP allows developers to specify which domains a web application allows to host its scripts. A browser that complies with CSP will, when instructed to, only run scripts from the whitelisted domains and avoid executing inline or event handling HTML attribute scripts. CSP also helps protect against [http://ha.ckers.org/blog/20080915/clickjacking/ Clickjacking] by specifying “which sites may embed contents from my site”.
+CSP allows developers to specify which domains a web application allows to host its scripts. A browser that complies with CSP will, when instructed to, only run scripts from the whitelisted domains and avoid executing inline or event handling HTML attribute scripts. CSP also helps protect against [http://ha.ckers.org/blog/20080915/clickjacking/ Clickjacking] by specifying “which sites may embed contents from my site”. Finally, CSP provides for an optional report-url to which all policy violations will be reported, allowing detection of attacks and proactive response to protect non-CSP enabled browsers.
 Automatically generate CSP headers that restrict script access to the application’s domain and prevent inline / event handling HTML attribute scripts unless necessary. Provide tools to easily extend the list of white-listed domains when required. By default, disallow all other sites from being embedded within the application’s contents unless necessary.

Projects/OWASP Secure Web Application Framework Manifesto/Releases/Current/Manifesto - Revision history

Rksethi at 23:10, 29 November 2010

Spinkham: /* Requirement Description */ Add benifits of CSP reporting

Yuk Fai Chan: Created page with '''Secure Web Application Framework Manifesto'' Authors: Tom Aratyn, Sahba Kazerooni, Patrick Szeto, & Rohit Sethi Version 0.08 http://www.securitycompass.com labs@securitycom…'