Visual Security Policy for the Web

Many web security vulnerabilities allow parts of a page to interact when they should be isolated. Such vulnerabilities can be mitigated by implementing protection boundaries between web page elements. Several methods exist for creating such boundaries, but existing methods require relatively sophisticated knowledge of web technologies. To make protection mechanisms available to a wider audience, we propose a simple web page security policy language, ViSP, modelled on mechanisms for specifying page layout. Here we characterise ViSP and describe a simple Firefox-based prototype that allows interactive, graphical specification of per-page security policies. We also show how these tools can be used to protect against cross-site scripting (XSS) attacks on common web applications.