TR-11-04: Enhancing Web Page Security with Security Style Sheets

Abstract

Although the web security community now has a variety of techniques that could help web developers to defend against common attacks such as cross-site scripting and cross-site request forgery, this work is not in a form suitable for general use. What is needed is a web standard that unites these techniques using syntax and semantics that are easy for web developers to learn and straightforward for browser makers to implement. Here we propose such a standard, Security Style Sheets, a browser-enforced policy language modelled on Cascading Style Sheets. Security Style Sheets provides an extensible policy framework that allows for policy to be separated from content and to be specified at both coarse and fine levels of granularity. In this paper we present the syntax and semantics of Security Style Sheets, explain its relationship with past web security proposals and CSS, and give examples of how it could be used to protect mainstream websites such as Facebook. Also in the model of CSS and the Acid3 tests, we present a conformance suite for Security Style Sheets.

TR-11-04.pdf