Announcing "Browser Security Handbook"

Wednesday, December 10, 2008 2:54 PM



Many people view the task of writing secure web applications as a very complex challenge - in part because of the inherent shortcomings of technologies such as HTTP, HTML, or Javascript, and in part because of the subtle differences and unexpected interactions between various browser security mechanisms.

Through the years, we found that having a full understanding of browser-specific quirks is critical to making sound security design decisions in modern Web 2.0 applications. For example, the same user-supplied link may appear to one browser as a harmless relative address, while another could interpret it as a potentially malicious Javascript payload. In another case, an application may rely on a particular HTTP request that is impossible to spoof from within the browser in order to defend the security of its users. However, an attacker might easily subvert the safeguard by crafting the same request from within commonly installed browser extensions. If not accounted for, these differences can lead to trouble.

In hopes of helping to make the Web a safer place, we decided to release our Browser Security Handbook to the general public. This 60-page document provides a comprehensive comparison of a broad set of security features and characteristics in commonly used browsers, along with (hopefully) useful commentary and implementation tips for application developers who need to rely on these mechanisms, as well as engineering teams working on future browser-side security enhancements.

Please note that given the sheer number of characteristics covered, we expect some kinks in the initial version of the handbook; feedback from browser vendors and security researchers is greatly appreciated.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

10 comments:

Giorgio Maone said...

Thank you MichaƂ, interesting and useful documentation project.
Thanks also for reporting NoScript with ClearClick as "the only product offering protection" against clickjacking (er... partial?! why?)
BTW, as you probably noticed, initial inspiration for ClearClick came from a post of yours on the whatwg mailing list.
However I'm quite surprised that Section 3 doesn't mention NoScript's "core business" (JavaScript and active content whitelisting), which might be seen as the simplified and user-friendly evolution of MSIE's Zones, and NoScript's Anti-XSS Injection Checker, the venerable ancestor of IE8's anti-XSS filter :)

Jeff Walden said...

Where should feedback on kinks be sent?

Adrian M. said...

i want to register by email to this blog :) so.. take action ;)

Blony said...

While it is a nice browser, it just is not that customizable or interesting to use as the versatile FireFox.

PressEjectOnPlay said...

Still waiting for a Linux version of Chrome.

TravelingNinja said...

There's also a webcast about browser security on http://www.microsoft.com/events/series/security360.mspx.

pedro_sland said...

Since we are on the topic of security, it seems that someone is causing bother :( at least google uk searches are all filtered :(

Moulton said...

This morning, no matter what I search on, every link comes up with a warning:

Warning - visiting this web site may harm your computer!

M M said...

Does anyone know if Gmail will ever allow us to use security keys (RSA or Verisign) as authentication when entering the password on the site? I know that AOL will allow you to.

I would be interested. . . :)

sole said...

well it might look in the shortrun as impossible but did anyone think of gradually eliminating JS support? the internet can live fine without JS these days and still look good, eliminating JS support and other browser side languages might elimitate alot of the harder to manage issues such as csrf and xss and other evil code such as "black widow", and alot of the ads and so on...
people are using less and less JS, and more sites are beggining to support none JS browsers (links, no-script firefox ...)