[WEB SECURITY] SOMA (a simple way of mitigating cross site scripting/cross site request forgery)

Terri Oda terri at zone12.com
Fri Jul 3 17:41:46 EDT 2009

A shameless plug, since the CSP discussion got me thinking about it:

SOMA is a simple system where both the website that wants to include 
content (the origin site) and the site providing content (the content 
provider) both must agree before something is included.

The current implementation is here:


You can also grab our presentation slides from the ACM Computer and 
Communications Security conference last year (CCS'08).  They were 
specifically designed to give a brief overview of the system.

It was designed with simplicity in mind, so it doesn't have all the 
bells and whistles of later, similar proposals such as CSP or ABE, but 
is much easier to set up and use -- basically just a whitelist for stuff 
to be included on your domain, and another whitelist for stuff that you 
let others include, all done on a per-domain basis.

We too would welcome additional comments!


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list