The latest news and insights from Google on security and safety on the Internet
December 10, 2008
Announcing "Browser Security Handbook"
Many people view the task of writing secure web applications as a very complex challenge - in part because of the inherent shortcomings of technologies such as HTTP, HTML, or Javascript, and in part because of the subtle differences and unexpected interactions between various browser security mechanisms.
Through the years, we found that having a full understanding of browser-specific quirks is critical to making sound security design decisions in modern Web 2.0 applications. For example, the same user-supplied link may appear to one browser as a harmless relative address, while another could interpret it as a potentially malicious Javascript payload. In another case, an application may rely on a particular HTTP request that is impossible to spoof from within the browser in order to defend the security of its users. However, an attacker might easily subvert the safeguard by crafting the same request from within commonly installed browser extensions. If not accounted for, these differences can lead to trouble.
In hopes of helping to make the Web a safer place, we decided to release our Browser Security Handbook to the general public. This 60-page document provides a comprehensive comparison of a broad set of security features and characteristics in commonly used browsers, along with (hopefully) useful commentary and implementation tips for application developers who need to rely on these mechanisms, as well as engineering teams working on future browser-side security enhancements.
Please note that given the sheer number of characteristics covered, we expect some kinks in the initial version of the handbook; feedback from browser vendors and security researchers is greatly appreciated.
9 comments:
You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.
Note: Only a member of this blog may post a comment.
Thank you MichaĆ, interesting and useful documentation project.
ReplyDeleteThanks also for reporting NoScript with ClearClick as "the only product offering protection" against clickjacking (er... partial?! why?)
BTW, as you probably noticed, initial inspiration for ClearClick came from a post of yours on the whatwg mailing list.
However I'm quite surprised that Section 3 doesn't mention NoScript's "core business" (JavaScript and active content whitelisting), which might be seen as the simplified and user-friendly evolution of MSIE's Zones, and NoScript's Anti-XSS Injection Checker, the venerable ancestor of IE8's anti-XSS filter :)
Where should feedback on kinks be sent?
ReplyDeletei want to register by email to this blog :) so.. take action ;)
ReplyDeleteWhile it is a nice browser, it just is not that customizable or interesting to use as the versatile FireFox.
ReplyDeleteStill waiting for a Linux version of Chrome.
ReplyDeleteThere's also a webcast about browser security on http://www.microsoft.com/events/series/security360.mspx.
ReplyDeleteSince we are on the topic of security, it seems that someone is causing bother :( at least google uk searches are all filtered :(
ReplyDeleteThis morning, no matter what I search on, every link comes up with a warning:
ReplyDeleteWarning - visiting this web site may harm your computer!
well it might look in the shortrun as impossible but did anyone think of gradually eliminating JS support? the internet can live fine without JS these days and still look good, eliminating JS support and other browser side languages might elimitate alot of the harder to manage issues such as csrf and xss and other evil code such as "black widow", and alot of the ads and so on...
ReplyDeletepeople are using less and less JS, and more sites are beggining to support none JS browsers (links, no-script firefox ...)