[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Date: Fri, 10 Aug 2007 20:27:48 -0400

Ivan Ristic wrote a proposal paper about a year ago called "Secure
Browsing Mode" that you might want to look at -
http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Proposal.pdf

It also references Gervase's paper.


On 8/10/07, Anurag Agarwal <anurag.agarwal@xxxxxxxxx> wrote:
> I am looking to get views from people on the list about a proposed security
> restriction in the browsers
>
> The browser should check with the webserver which domains it can interact
> with (load files from or submit post data to, etc) for that website. How the
> check is implemented is upto the browser.
>
> For example: If a page from mybank.com is trying to submit data to
> attacker.com then before submitting the data, the browser should check with
> the mybank.com if it is allowed to do so.
>
> Q1. is it reasonable?
> Q2. What are the pros and cons of this approach?
> Q3. Would it limit some types of browser attacks (like some xss vectors,
> etc)?
> Q4. Would it open any new types of attack vectors?
>
>
> I know there are security researchers, browser vendors, corporate security
> folks and various other smart webappsec people on this list. I would really
> appreciate if they can chip in with their 2 cents on this topic.
>
>
> Any feedback is highly appreciated
>
> Cheers,
>
> Anurag Agarwal
>
> SEEC - An application security search engine
> Web: www.attacklabs.com , www.myappsecurity.com
> Email : anurag.agarwal@xxxxxxxxx
> Blog : http://myappsecurity.blogspot.com


-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Prasad Shenoy
- RE: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Ory Segal

References:
- [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Anurag Agarwal

Prev by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Previous by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site