Currently, the only defence against Cross-Site Scripting (XSS) attacks is server-side filtering of untrusted content. If that fails, the user agent is wide open. In absence of any information from the site designer, the user agent cannot make decisions about what script in the page to execute and what not to execute – it has to execute it all.
So, the perfect way to prevent XSS attacks would be for the user agent to read the website designer’s mind to determine which scripts embedded in a page were legitimate and which were malicious. In the absence of affordable and reliable mind-reading technology, and in consideration of the mental fatigue this would undoubtedly induce in web page authors, my new paper, “Content Restrictions“, presents the draft specification of a way for a site designer to explain his state of mind to the user agent by specifying restrictions on the capabilities of his content.
I hope to turn this into a draft RFC soon, so any comments would be extremely welcome.