Dailydave mailing list archives
TTW
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 15 Nov 2011 09:15:30 -0800
Hi folks, I don't normally spam mailing lists with commercial crap - but I'm actually sort of proud of this one, I think it's sort of unique and may be of interest to many readers... so let's see if Dave is asleep at the moderator wheel. Long story short, I wanted to plug "The Tangled Web" - a book that partly inspired by my 2008 Browser Security Handbook (http://code.google.com/p/browsersec/). TTW is probably the first-ever reasonably detailed examination of the browser security model and its evolution through the years, covering everything from frame navigation policies and some of the less known quirks of plugin handling and content sniffing, to many of the current and upcoming HTML5 features. It's far less of a viable commercial project, and more of an attempt to just document the current state of affairs. In addition to that, I think it outlines quite a few novel challenges that I think will shape the future of web security, e.g.: http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html http://lcamtuf.blogspot.com/2011/08/subtle-deadly-problem-with-csp.html And as a final bonus for bug hunters, it also highlights a bunch of previously unpublished security issues, such as this Opera origin inheritance flaw (reported in Mar 2011, and fixed not that long ago): PoC: http://lcamtuf.coredump.cx/inherit/opera.html Advisory: http://www.opera.com/support/kb/view/995/ For sample chapters, endorsements, etc, you can go there: http://lcamtuf.coredump.cx/tangled/ Feedback welcome. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave