[WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

[Anurag Agarwal <anurag.agarwal@xxxxxxxxx>]

--0-857443522-1186780128=:38928
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

I am looking to get views from people on the list about a proposed security=
 restriction in the browsers=0A=0AThe browser should check with the webserv=
er which domains it can interact with (load files from or submit post data =
to, etc) for that website. How the check is implemented is upto the browser=
.=0A=0AFor example: If a page from mybank.com is trying to submit data to a=
ttacker.com then before submitting the data, the browser should check with =
the mybank.com if it is allowed to do so. =0A=0AQ1. is it reasonable?=0AQ2.=
 What are the pros and cons of this approach?=0AQ3. Would it limit some typ=
es of browser attacks (like some xss vectors, etc)?=0AQ4. Would it open any=
 new types of attack vectors?=0A=0A=0AI know there are security researchers=
, browser vendors, corporate security folks and various other smart webapps=
ec people on this list. I would really appreciate if they can chip in with =
their 2 cents on this topic. =0A=0A=0AAny feedback is highly appreciated=0A=
 =0ACheers,=0A =0AAnurag Agarwal=0A =0ASEEC - An application security searc=
h engine=0AWeb: www.attacklabs.com , www.myappsecurity.com=0AEmail : anurag=
.agarwal@yahoo.com=0ABlog : http://myappsecurity.blogspot.com
--0-857443522-1186780128=:38928
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><DIV></DIV>=0A<DIV>I am looking to get views from people on the list a=
bout a proposed security restriction in the browsers</DIV>=0A<DIV><BR><STRO=
NG>The browser should check with the webserver which domains it can interac=
t with (load files from or submit post data to, etc) for that website. How =
the check is implemented is upto the browser.</STRONG></DIV>=0A<DIV><BR>For=
 example: If a page from mybank.com is trying to submit data to attacker.co=
m then before submitting the data, the browser should check with the mybank=
.com if it is allowed to do so. </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Q1. is it=
 reasonable?<BR>Q2. What are the pros and cons of this approach?<BR>Q3. Wou=
ld it limit some types of browser attacks (like some xss vectors, etc)?<BR>=
Q4. Would it open any new types of attack vectors?</DIV>=0A<DIV>&nbsp;</DIV=
>=0A<DIV>&nbsp;</DIV>=0A<DIV>I know there are security researchers, browser=
 vendors, corporate security folks and various other smart webappsec people=
 on this list. I would really appreciate if they can chip in with their 2 c=
ents on this topic. </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>A=
ny feedback is highly appreciated<BR>&nbsp;</DIV>=0A<P>Cheers,</P>=0A<P>&nb=
sp;</P>=0A<P>Anurag Agarwal</P>=0A<P>&nbsp;</P>=0A<P><A href=3D"http://www.=
myappsecurity.com/" target=3D_blank rel=3Dnofollow>SEEC - An application se=
curity search engine</A></P>=0A<P>Web:&nbsp;<A href=3D"http://www.attacklab=
s.com/" target=3D_blank rel=3Dnofollow>www.attacklabs.com</A>&nbsp;, <A hre=
f=3D"http://www.myappsecurity.com/"; target=3D_blank rel=3Dnofollow>www.myap=
psecurity.com</A></P>=0A<P>Email : <A href=3D"mailto:anurag.agarwal@yahoo.c=
om" target=3D_blank rel=3Dnofollow>anurag.agarwal@yahoo.com</A></P>=0A<P>Bl=
og : <A href=3D"http://myappsecurity.blogspot.com/"; target=3D_blank rel=3Dn=
ofollow>http://myappsecurity.blogspot.com</A></P>=0A<P>&nbsp;</P>=0A<DIV></=
DIV></div></body></html>
--0-857443522-1186780128=:38928--