WebApp Sec mailing list archives
Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
From: "Ryan Barnett" <rcbarnett () gmail com>
Date: Fri, 10 Aug 2007 20:27:48 -0400
Ivan Ristic wrote a proposal paper about a year ago called "Secure Browsing Mode" that you might want to look at - http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Proposal.pdf It also references Gervase's paper. On 8/10/07, Anurag Agarwal <anurag.agarwal () yahoo com> wrote:
I am looking to get views from people on the list about a proposed security restriction in the browsers The browser should check with the webserver which domains it can interact with (load files from or submit post data to, etc) for that website. How the check is implemented is upto the browser. For example: If a page from mybank.com is trying to submit data to attacker.com then before submitting the data, the browser should check with the mybank.com if it is allowed to do so. Q1. is it reasonable? Q2. What are the pros and cons of this approach? Q3. Would it limit some types of browser attacks (like some xss vectors, etc)? Q4. Would it open any new types of attack vectors? I know there are security researchers, browser vendors, corporate security folks and various other smart webappsec people on this list. I would really appreciate if they can chip in with their 2 cents on this topic. Any feedback is highly appreciated Cheers, Anurag Agarwal SEEC - An application security search engine Web: www.attacklabs.com , www.myappsecurity.com Email : anurag.agarwal () yahoo com Blog : http://myappsecurity.blogspot.com
-- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers James Landis (Aug 15)
- <Possible follow-ups>
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Amit Klein (Aug 15)
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Ryan Barnett (Aug 15)
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Amit Klein (Aug 15)
- Message not available