So far, we can use the front-end script XSS defense programs Michael Kors Bedford Logo Medium Brown Satchels are listed again. Although cumbersome it seems very complicated, but those are just theoretical discussion, not necessarily in practice to implement. Our Michael Kors Berkley Logo Large Black Clutches goal is to alert, to find the problem on the line, not to achieve the degree of watertight. In fact, HTML5 has already developed a set of browser XSS solution - Content Security Policy, and most of the major browsers to achieve this standard. Since we use the front-end script to re-implement it again, it was an advantage in every respect. Compatibility CSP currently most major browsers already support, IE10,11 support some features. For IE10 before, of course, helpless. If you use a front-end script, which could be based on the actual capacity of advance and retreat of the browser. For the first chapter describes the DOM-XSS, as long as the standard model of support to open the event, and therefore compatible with IE9 entirely feasible. In fact, IE8 already open browser API interface, and supports native access to the Michael Kors Crossbody Bags operation. So, IE8 support hooks, and can intercept suspicious elements. Taking into account the practice, in most cases not intercept, just log for reporting warning. For such low demand, any version of Michael Kors Outlet the browser is Michael Kors Bedford Logo Monogram Large Black Totes completely feasible, even IE6 no problem. As the domestic IE browser still occupy a considerable portion of proportion, so using front-end script programs can cover a wider user community. Deployment of CSP is implemented via HTTP headers, policy configuration is stored in the Content-Security-Policy this field, and therefore have to be configured in the Web server. This is some of the virtual host site for small and medium build, configure up more trouble. Simply insert the tip and realize a script page on the line, no need to be concerned about the back-end deployment, modify the policy and need to restart the service, to maintain it easier. However, the future of CSP will support the deployment of the page, you can configure the policy through meta tags, so practicality will be substantially improved. Of course, the problems now facing the final standard can be accessed through the improvement and progress of the times and disappeared. So any program just in solving the current problems. Performance is no doubt that the native browser support is certainly more efficient than analog out. Before considering a variety of situations, you need to install a variety of events and hooks, feeling very cumbersome. However, it is only in theory, the most rigorous defense of the case, in reality, only for basic warning, does not need to monitor the Michael Kors Bedford Logo Medium Brown Michael Kors Bedford Signature Large White Totes Satchels full. As a test, we still consider the most stringent conditions. According to the results discussed in previous articles, we make a prototype demonstration. To be able to simulate online and offline, while doing a Chrome plug-in, script injection into the online pages: page used to script, plug-ins, network communications, etc., are monitored in the console, and the display according Michael Kors Bedford Logo Large Purple Crossbody Bags to different policy match color. Let's look at the performance impact. Although we opened all the monitoring, but the initialization time consuming, is still acceptable. (Test environment i3 2.3G notebook Win7 64 bit) after all, JavaScript is the field hooks only modify variables only, not as have permission to modify the memory like a traditional language, and so on. Of course, the content of this page is relatively small, only to see script-initiated case. We change the content of a page very much: Because nested frames page, in discussing the hook Michael Kors Bedford Gusset Medium Tan Crossbody Bags when we mentioned that a new page environment also need defense, thus triggering a number of 'active defense' initialization. Content 'static scanning', it is to be MutationObserver captured elements. Since the content of the page is very large, static Michael Kors Bedford Signature Large White Totes elements as HTML documents also show while downloading. Although the scanning cumulative time, and many, but relatively few seconds the whole page loads, basically negligible. Content 'dynamic scan', it is late script Michael Kors Accessories creates. With the scroll bar pull down, gradually increasing the number of scans. Since we hooked createElement, in theory calls will be slower. But in reality, a lot less likely to call the method of breath, mostly through innerHTML using a template to create a batch. In addition, we also hooked setAttribute this common approach, statistical results and 'visit hooks' along with inclusion in the 'property inspection' in. However, in reality, most of the occasion does not need to call this method, after all, have to attribute to the property after a parse the string, can directly use property is completely unnecessary to setAttribute. The visit hooks, only when modifying script, embed src attribute of these elements will be triggered, these operations have been very few, so the extra consumption property scanned or negligible. Policy configuration using scripts biggest advantage is that its policies can be flexibly configured. Rules can be dynamically generated, it is also not limited to pattern matching, wildcard or regular all OK. Everything script originally implemented, but also by the script completely go decision. Of course, in order to better adapt to the CSP standards, we will be as close Michael Kors Bedford Large Orange Shoulder Bags to the policy norms and standards, in order to be compatible with each other. Because of the flexibility of the script, we not only support wildcards to match the site name, a regular expression is fully supported. Meanwhile, in order to facilitate Michael Kors Bedford Signature Large White Totes testing, debugging console can dynamically modify the policy. Below, Michael Kors Bedford Logo Large Pink Crossbody Bags we find the existence of XSS page, immediately to the test: refresh, XSS implemented: Although non-homologous execution, but whatever the outcome, considered a XSS. We have to test that. Then open our firewall to the executable module coupled whitelist policy. Allowing only resource the current site, others to intercept and send alarm log: The time has come for a miracle. ʱ?? ʱ?? Suspicious module successfully intercepted outside the station! At the same time start sending the alert log to the background. Log CSP in reporting standards, reporting formats are fixed, and the information content is limited. But for the script, these are not a problem, you can always add the information you want to get. You will certainly feel that the reported number of not too much, after all, just a few loopholes. However, XSS broad sense are not necessarily caused by the vulnerability. XSS - Cross Site Script, as long as the pages of the station outside of the script, can be considered. Under normal circumstances, can only be caused by a flaw, but in Michael Kors Bedford Logo Medium Black Satchels some special occasions, any page script may appear outside the station, such as traffic hijacking previously discussed, or browser plug-ins, are very common situation. Therefore, we in addition to online warning, but also statistics in various regions operators ads hijacking, as well as some pages Plug. Of course, want to bypass is also very easy. As long as the traffic filtering script our defense or shield logs are sent, we are unable to know of. Postscript In fact, the final program has been on-line. Although only a very small sample of users, but still return millions of alert log. Almost all are advertising hijacking and browser plug-ins, even if there are loopholes temporarily can not know, we can not analyze one by one to reproduce. Therefore, we need an efficient reproduction system, to help us achieve reproducible work automation.XSS front-end firewall (5): ready to go