Firefox developers tinker with new security protections (finally) Developers of the Firefox browser are designing new technologies aimed at protecting users from some of the nastiest and most prevalent forms of website attacks. One protection is designed to minimize end users' risk to cross-site scripting (XSS) attacks and cross-site request forgeries (CSRFs), both of which subvert basic …
Things like wildcard "*" cross domain trust are allowed by the ecommerce site operators, and are not a hacker artifact. Phishing works well because the ecommerce sites are making money on advertising which requires the wildcard cross domain trust. Doubleclick (via ru4.com) embeds a "*" trust value in their client's web sites. The more interesting topic is "how does an ecommerce site go about vetting their advertisers and biz partners to ensure the main site does not become vulnerable?"
>"Site developers could indicate an explicit set of domains that should be treated as valid sources of javascript, so that code embedded in sites that aren't specifically white-listed would not be executed."
Of course, if they want to get paid by their advertisers, they'll have to whitelist all the ad-serving domains.
And then the infected banner ads will be able to get through again.
End result: another one of those security features that is turned-off everywhere because it's too inconvenient, and very little (if any) extra protection for surfers.
Bad execution.
I *really* hope the peeps at InformAction OpenSource Software (the makers of NoScript) are working hand in hand with the weebls over there. Mozilla has a great thing goin' on, but a lot of good add-ons could stand to be part of the default interface that it's not funny anymore.
Bundle NoScript with FireFox!
we tried that: the HTML folks said it wasn't their domain because it's headers external to the document mark-up, and the HTTP folks told us the controls were specific to documents and we should talk to the HTML folks.
At this point it's just an experiment. If it looks useful in practice I'm sure we can find a standards body home for it, and it will need to be standardized to really work long-term. But trying to standardize without having at least one implementation tends to lead to standards no one wants to (or can) implement; some standards bodies even require two compatible implementations before they'll call a standard "final".
"The idea is to enable websites to define security policies that the browser enforces."
What if the security policy on a given website allows for direct malware injection or a script that redirects to a malware site that is "approved" by the referring website?
Not exactly the security policy I have in mind but I am not too worried about me. If there was such a plug-in I would probably not trust it very much.
@Pyros:
The entire idea of FF is that it is a minimal browser which is then extensible. If they just started shipping all the extensions with the installer, their whole mission would be for nothing. Not that it really got them all that far, since their minimal, stripped browser has been larger and slower than a certain other full featured browser/mail client/irc client/etc for quite some time now.
@Darryl:
Bashing Mozilla got tiring a long time ago. I think people tend to bash IE because it makes their lives so terrible, with the non-standard compliance, spyware auto-downloading, etc. Mozilla is just somewhat annoying.
> The entire idea of FF is that it is a minimal browser which is then extensible. If they just started shipping all the extensions with the installer, their whole mission would be for nothing.
heh, superb, but if you're going to take the mickey by impersonating crazed techies in this way, use a smiley - there are people on this site who might misunderstand you.
(In case anyone was confused, "the entire idea of FF" is of course to be a much better browser than IE for the whole world to use, and that means making ordinary browsing as safe ***as humanly possible*** for ordinary people. Startup speed, extensibility, standards, blah blah, all of it counts for nothing to a normal person compared to ***Not Needing a Degree In Technology To Prevent My Bank Details Being Stolen***)
You can Upgrade and polish up security on browsers as much as you like, if people are stupid then they will lose money, info, etc etc
Believe it or not people who get an email from their bank saying we have lost your user name and password info, plese click on this Barclays looking link and put your info in. Will STILL fall for it.
I had one recently and was pleased to see Windows Live Mail include a button called report phishing scam. So I hapily Clicked on it. Hopefully something will be done about it.
I'm an IE flamer, for the exact reason you mention. Standards are meant to minimise development overhead by allowing the same code to be cross-browser compatible, a thing IE is notorious for breaking. Should Mozilla go this same route, deviating from the W3C, rest assured I (and many other web developers) will start hoeing into them with just as much avidity as we currently attack IE!
I just DON'T want to have to write ten different versions of my CGI/PHP, CSS and HTML with 500 lines of browser-sniffing Javascript, to accommodate every different vendor's vision of the perfect browser, thanks very much!
Paris because she's become a universal standard on El Reg...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
