Developers of the Firefox browser are designing new technologies aimed at protecting users from some of the nastiest and most prevalent forms of website attacks. One protection is designed to minimize end users' risk to cross-site scripting (XSS) attacks and cross-site request forgeries (CSRFs), both of which subvert basic …
"enable websites to define security policies that the browser enforces"
You mean the like the 'same origin' policy we already have, that isn't regularly found to haven problems in it's impl. ?
Why not make noscript a default extension, and spend the resources on something useful (like beer).
Base for anti-Phorm browsing?
Any gurus reading?
The web site operators are in on it
Things like wildcard "*" cross domain trust are allowed by the ecommerce site operators, and are not a hacker artifact. Phishing works well because the ecommerce sites are making money on advertising which requires the wildcard cross domain trust. Doubleclick (via ru4.com) embeds a "*" trust value in their client's web sites. The more interesting topic is "how does an ecommerce site go about vetting their advertisers and biz partners to ensure the main site does not become vulnerable?"
Of course, if they want to get paid by their advertisers, they'll have to whitelist all the ad-serving domains.
And then the infected banner ads will be able to get through again.
End result: another one of those security features that is turned-off everywhere because it's too inconvenient, and very little (if any) extra protection for surfers.
If this is such a wonderful idea, shouldn't they bring it to the W3C as some sort of cross browser standard?
I *really* hope the peeps at InformAction OpenSource Software (the makers of NoScript) are working hand in hand with the weebls over there. Mozilla has a great thing goin' on, but a lot of good add-ons could stand to be part of the default interface that it's not funny anymore.
Bundle NoScript with FireFox!
we tried that: the HTML folks said it wasn't their domain because it's headers external to the document mark-up, and the HTTP folks told us the controls were specific to documents and we should talk to the HTML folks.
At this point it's just an experiment. If it looks useful in practice I'm sure we can find a standards body home for it, and it will need to be standardized to really work long-term. But trying to standardize without having at least one implementation tends to lead to standards no one wants to (or can) implement; some standards bodies even require two compatible implementations before they'll call a standard "final".
Where are the IE flamers?
You know, the ones who jump all over IE for having non-standardized bits? Shouldn't you all be bashing Mozilla now?
Who decides whom to trust?
"The idea is to enable websites to define security policies that the browser enforces."
What if the security policy on a given website allows for direct malware injection or a script that redirects to a malware site that is "approved" by the referring website?
Not exactly the security policy I have in mind but I am not too worried about me. If there was such a plug-in I would probably not trust it very much.
The entire idea of FF is that it is a minimal browser which is then extensible. If they just started shipping all the extensions with the installer, their whole mission would be for nothing. Not that it really got them all that far, since their minimal, stripped browser has been larger and slower than a certain other full featured browser/mail client/irc client/etc for quite some time now.
Bashing Mozilla got tiring a long time ago. I think people tend to bash IE because it makes their lives so terrible, with the non-standard compliance, spyware auto-downloading, etc. Mozilla is just somewhat annoying.
Where can I find the original message?
Where can I find the original message, and how can I get involved? I am involved with web security for a living, and see the need for better protections on the client side on the modern web.
> The entire idea of FF is that it is a minimal browser which is then extensible. If they just started shipping all the extensions with the installer, their whole mission would be for nothing.
heh, superb, but if you're going to take the mickey by impersonating crazed techies in this way, use a smiley - there are people on this site who might misunderstand you.
(In case anyone was confused, "the entire idea of FF" is of course to be a much better browser than IE for the whole world to use, and that means making ordinary browsing as safe ***as humanly possible*** for ordinary people. Startup speed, extensibility, standards, blah blah, all of it counts for nothing to a normal person compared to ***Not Needing a Degree In Technology To Prevent My Bank Details Being Stolen***)
A Fool and his money are soon parted
You can Upgrade and polish up security on browsers as much as you like, if people are stupid then they will lose money, info, etc etc
Believe it or not people who get an email from their bank saying we have lost your user name and password info, plese click on this Barclays looking link and put your info in. Will STILL fall for it.
I had one recently and was pleased to see Windows Live Mail include a button called report phishing scam. So I hapily Clicked on it. Hopefully something will be done about it.
I suppose it would be useful for this functionality to be built into the browser, but I have little doubt that the "NoScript" extension will still do it much better. (if nothing else because of the ridiculously frequent updates to NoScript)
Security? What security?
For whom and by whom?
I'm an IE flamer, for the exact reason you mention. Standards are meant to minimise development overhead by allowing the same code to be cross-browser compatible, a thing IE is notorious for breaking. Should Mozilla go this same route, deviating from the W3C, rest assured I (and many other web developers) will start hoeing into them with just as much avidity as we currently attack IE!
Paris because she's become a universal standard on El Reg...
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Did a date calculation bug just cost hard-up Co-op Bank £110m?