[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
- From: anurag.agarwal@xxxxxxxxx
- Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
- Date: Sun, 12 Aug 2007 23:00:35 -0700 (PDT)
--0-1064953120-1186984835=:84283
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
I totally agree with brian on this. Besides as per my discussion with Mozil=
la guys in Blackhat, they were reaching out to webappsec community to provi=
de ideas and RSnake has a post related to this=0Ahttp://ha.ckers.org/blog/2=
0070811/content-restrictions-a-call-for-input/=0A=0A=0A =0ACheers,=0A =0AAn=
urag Agarwal=0A =0ASEEC - An application security search engine=0AWeb: www.=
attacklabs.com , www.myappsecurity.com=0AEmail : anurag.agarwal@yahoo.com=
=0ABlog : http://myappsecurity.blogspot.com=0A =0A=0A=0A=0A----- Original M=
essage ----=0AFrom: Brian Eaton <eaton.lists@gmail.com>=0ATo: pdp (architec=
t) <pdp.gnucitizen@googlemail.com>=0ACc: Anurag Agarwal <anurag.agarwal@yah=
oo.com>; WASC Forum <websecurity@webappsec.org>; "Webappsec @securityFocus"=
<webappsec@securityfocus.com>=0ASent: Sunday, August 12, 2007 9:28:13 PM=
=0ASubject: Re: [WEB SECURITY] Seeking feedback on proposed security restri=
ction in the browsers=0A=0A=0AHey pdp - Interesting comments. I'm respondi=
ng to just a few of them.=0A=0AOn 8/11/07, pdp (architect) <pdp.gnucitizen@=
googlemail.com> wrote:=0A> Also keep in mind that this solution will stop o=
nly POST based CSRF=0A> attacks. Those based on GET cannot be stopped.=0A=
=0AI don't see why this has to be the case. Why shouldn't policies like=0A=
the one Anurag described apply equally to all request methods? More=0Ato t=
he point, why shouldn't we build a system that lets web masters=0Adescribe =
"allow known good" types of policies?=0A=0A<snip>=0A> So yes, we can setup =
a policy but it will never take off. First of all=0A> standardization bodie=
s needs to except it. Then browsers have to=0A> implement it and we have a =
browser war going on at the moment. No=0A> developer will implement a stand=
ard that is not widely adopted.=0A=0AHttpOnly has been widely adopted, desp=
ite being proposed without=0Aapproval of a standards body. All of the majo=
r browser vendors=0Arecognize that security is a problem. Good ideas will =
catch on. W3C=0Awill catch up eventually. =3D)=0A=0ACheers,=0ABrian
--0-1064953120-1186984835=:84283
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><DIV></DIV>=0A<DIV>I totally agree with brian on this. Besides as per =
my discussion with Mozilla guys in Blackhat, they were reach=
ing out to webappsec community to provide ideas and RSnake has a post relat=
ed to this</DIV>=0A<DIV><A href=3D"http://ha.ckers.org/blog/20070811/conten=
t-restrictions-a-call-for-input/">http://ha.ckers.org/blog/20070811/content=
-restrictions-a-call-for-input/</A></DIV>=0A<DIV> </DIV>=0A<DIV><BR>&n=
bsp;</DIV>=0A<P>Cheers,</P>=0A<P> </P>=0A<P>Anurag Agarwal</P>=0A<P>&n=
bsp;</P>=0A<P><A href=3D"http://www.myappsecurity.com/"; target=3D_blank rel=
=3Dnofollow>SEEC - An application security search engine</A></P>=0A<P>Web:&=
nbsp;<A href=3D"http://www.attacklabs.com/"; target=3D_blank rel=3Dnofollow>=
www.attacklabs.com</A> , <A href=3D"http://www.myappsecurity.com/"; tar=
get=3D_blank rel=3Dnofollow>www.myappsecurity.com</A></P>=0A<P>Email : <A h=
ref=3D"mailto:anurag.agarwal@yahoo.com"; target=3D_blank rel=3Dnofollow>anur=
ag.agarwal@yahoo.com</A></P>=0A<P>Blog : <A href=3D"http://myappsecurity.bl=
ogspot.com/" target=3D_blank rel=3Dnofollow>http://myappsecurity.blogspot.c=
om</A></P>=0A<P> </P>=0A<DIV style=3D"FONT-SIZE: 10pt; FONT-FAMILY: ar=
ial, helvetica, sans-serif"><BR><BR>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-=
FAMILY: times new roman, new york, times, serif">----- Original Message ---=
-<BR>From: Brian Eaton <eaton.lists@gmail.com><BR>To: pdp (architect)=
<pdp.gnucitizen@googlemail.com><BR>Cc: Anurag Agarwal <anurag.aga=
rwal@yahoo.com>; WASC Forum <websecurity@webappsec.org>; "Webappse=
c @securityFocus" <webappsec@securityfocus.com><BR>Sent: Sunday, Augu=
st 12, 2007 9:28:13 PM<BR>Subject: Re: [WEB SECURITY] Seeking feedback on p=
roposed security restriction in the browsers<BR><BR>=0A<DIV>Hey pdp - Inter=
esting comments. I'm responding to just a few of them.<BR><BR>On=
8/11/07, pdp (architect) <pdp.gnucitizen@googlemail.com> wrote:<BR>&=
gt; Also keep in mind that this solution will stop only POST based CSRF<BR>=
> attacks. Those based on GET cannot be stopped.<BR><BR>I don't see why =
this has to be the case. Why shouldn't policies like<BR>the one =
Anurag described apply equally to all request methods? More<BR>t=
o the point, why shouldn't we build a system that lets web masters<BR>descr=
ibe "allow known good" types of policies?<BR><BR><snip><BR>> So ye=
s, we can setup a policy but it will never take off. First of all<BR>> s=
tandardization bodies needs to except it. Then browsers have to<BR>> imp=
lement it and we have a browser war going on at the moment. No<BR>> deve=
loper will implement a standard that is not widely adopted.<BR><BR>HttpOnly=
has been widely adopted, despite being proposed
without<BR>approval of a standards body. All of the major brows=
er vendors<BR>recognize that security is a problem. Good ideas w=
ill catch on. W3C<BR>will catch up eventually. =3D)<BR><BR>Cheer=
s,<BR>Brian</DIV></DIV><BR></DIV></div></body></html>
--0-1064953120-1186984835=:84283--
Brought to you by http://www.webappsec.org
Search this site
|