Prevent and limit damage of XSS
->
XSS attacks bypass the same origin policy by tricking a site into delivering malicious code along with intended content
Approach: restrict resource loading to a white-list
script-src, connect-src, font-src, frame-src, img-src, media-src, object-src, style-src, default-src
CSP will allow third party widgets(e.g. Google +1 button) to be embedded on your site
Cross origin resource sharing
-A technique for relaxing the same-origin policy, allowing JavaScript on a web page to consume content from a different origin.
-server can inspect origin header and respond with Access-Control-Allow-Origin header
definition of an origin
A combination of URI(UniformResource Identification) scheme hostname, and port number.
Same origin policy for DOM.
Cryptographic Checksums
generate tag: T MACsign(k, SID || name || value)
