[TITP] Proposal for Tab-Isolated Token Protocol: A Novel XSS Mitigation Approach from Singhal, Harsh on 2026-02-04 (public-webappsec@w3.org from February 2026)

From: Singhal, Harsh <hsnghal@amazon.com>
Date: Wed, 4 Feb 2026 02:02:05 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: Mike West <mkwst@google.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>, "simone@w3.org" <simone@w3.org>
Message-ID: <1CBB733B-AEDD-4C45-8329-617BA68EBDAA@amazon.com>

Dear WebAppSec Community,

I am writing to share a proposal for the Tab-Isolated Token Protocol (TITP), an architectural approach designed to programmatically mitigate session hijacking facilitated by Cross-Site Scripting (XSS).

Following a productive initial discussion with Mike West, I have developed a technical explainer that outlines the protocol’s goals, its use of a new TabOnly cookie primitive, and a cryptographically protected token system.

Technical Explainer: https://github.com/Harsh0/xss-mitigation-explainer

The Problem
While robust XSS prevention mechanisms exist, backend systems currently lack a reliable method to distinguish legitimate application requests from those generated by malicious scripts following a successful injection. This is particularly critical for applications with long-lived sessions.

The Proposed Solution (TITP)
TITP introduces a TabOnly cookie attribute paired with a backend verification system. To address same-privilege attacker concerns, the protocol leverages client-side cryptography:

* Client-Side Key Generation: The client generates an ephemeral key pair using the Web Crypto API on page load.
* Token Protection: The server encrypts tokens with the client's public key.
* Inaccessibility: The private key is stored within a closure, making it inaccessible to global scope manipulation or intercepted encrypted tokens.

Request for Feedback
I would appreciate the community’s input and guidance on:

* Technical Feasibility: The viability of the cryptographic token pairing approach.
* Implementation: Browser vendor interest in supporting the TabOnly primitive with iframe inheritance requirements.
* Integration: Strategies for working alongside existing security mechanisms like CSP and SameSite.

I look forward to your thoughts and any technical feedback on the explainer.

Best regards,
Harsh Singhal
Senior Software Development Engineer, Amazon Music
LinkedIn<https://www.linkedin.com/in/harsh-singhal/> | Medium<https://harsh-singhal.medium.com/>

Received on Wednesday, 4 February 2026 02:10:44 UTC