Skip to content
No description, website, or topics provided.
JavaScript HTML
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
spec Very skeletal spec. Jan 29, 2015
CONTRIBUTING.md
LICENSE
README.md
background.js
epr-manifest.json
icon.png first commit Aug 4, 2014
manifest.json
popup.html
reWorker.js

README.md

Entry Point Regulation Prototype Chrome Extension

This prototype Chrome extension allows for the implementation of Entry Point Regulation (EPR) on a given web site. Sites with regulated entry points limit their exposure to reflected cross-site scripting vulnerabilities and cross-site request forgery.

Disclaimer: This is not an official Google product.

EPR Implementation for Web Sites

To EPR-enable a site, three steps are required:

  1. List out valid site entry points in a manifest file (/epr-manifest.json). Once installed in Chrome at the client, the EPR Chrome extension is responsible for enforcing the rules specified in a site's EPR manifest. Currently EPR manifests are specified for a given fully qualified domain name. (In the future, this may be extended to allow different paths on a domain to have individually maintained manifests.)

  2. Serve the following HTTP response header from the domain:

X-EPR: 1

This header lets the EPR Chrome extension know to download and store the EPR manifest file. It's best if the X-EPR header is served via web server configuration rather than app-specific configuration, so that it will be served on all HTTP responses.

  1. Install the EPR prototype Chrome extension on client browsers.

Example EPR Manifest

The background.js file contains a hardcoded example manifest, complete with comments. (See eprDataStatic.) The epr-manifest.json file contains the same manifest, just without comments. Edit epr-manifest.json as you'd like and host it at the root.

Eg: [https://www.[Your EPR-enabled website].com/epr-manifest.json](https://www.[Your EPR-enabled website].com/epr-manifest.json)

More Information

EPR blog post: http://randomdross.blogspot.com/2014/08/entry-point-regulation-for-web-apps.html

EPR Google Group: https://groups.google.com/forum/#!forum/epr-list

See background.js for a list of TODOs for future improvements to the EPR Chrome extension.

You can’t perform that action at this time.