[WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

anurag.agarwal at yahoo.com anurag.agarwal at yahoo.com
Mon Aug 13 02:00:35 EDT 2007


I totally agree with brian on this. Besides as per my discussion with Mozilla guys in Blackhat, they were reaching out to webappsec community to provide ideas and RSnake has a post related to this
http://ha.ckers.org/blog/20070811/content-restrictions-a-call-for-input/


 
Cheers,
 
Anurag Agarwal
 
SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal at yahoo.com
Blog : http://myappsecurity.blogspot.com
 



----- Original Message ----
From: Brian Eaton <eaton.lists at gmail.com>
To: pdp (architect) <pdp.gnucitizen at googlemail.com>
Cc: Anurag Agarwal <anurag.agarwal at yahoo.com>; WASC Forum <websecurity at webappsec.org>; "Webappsec @securityFocus" <webappsec at securityfocus.com>
Sent: Sunday, August 12, 2007 9:28:13 PM
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers


Hey pdp - Interesting comments.  I'm responding to just a few of them.

On 8/11/07, pdp (architect) <pdp.gnucitizen at googlemail.com> wrote:
> Also keep in mind that this solution will stop only POST based CSRF
> attacks. Those based on GET cannot be stopped.

I don't see why this has to be the case.  Why shouldn't policies like
the one Anurag described apply equally to all request methods?  More
to the point, why shouldn't we build a system that lets web masters
describe "allow known good" types of policies?

<snip>
> So yes, we can setup a policy but it will never take off. First of all
> standardization bodies needs to except it. Then browsers have to
> implement it and we have a browser war going on at the moment. No
> developer will implement a standard that is not widely adopted.

HttpOnly has been widely adopted, despite being proposed without
approval of a standards body.  All of the major browser vendors
recognize that security is a problem.  Good ideas will catch on.  W3C
will catch up eventually. =)

Cheers,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20070812/f4d9f4b1/attachment.html>


More information about the websecurity mailing list