[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: "James Landis" <jcl24@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Date: Mon, 13 Aug 2007 13:48:23 -0400

On 8/12/07, pdp (architect) <pdp.gnucitizen@xxxxxxxxxxxxxx> wrote:
> I would suggest that the trust should be put into the browser not the
> website since you have not control over the website but you do have
> control over the software installed on your PC. But again, the
> security of the client depends on the security of the server and the
> security of the server depends on the security of the client.

While thinking about this the last few days, I actually came to the
opposite conclusion. I believe it's fundamental not to trust the
client environment, especially with a protocol as ubiquitously (?)
implemented as HTTP. If we start relying on client behavior as a
partial solution to cross-domain problems, then we're opening
ourselves up for several negative side effects:

1) Developers get lazy about output encoding/transaction security in general
2) We "forget" about the reasons why certain controls have been
implemented in the first place, allowing the problem to resurface
again beyond the date of our collective memory lapse
3) The obvious nightmare of updating the spec, including backwards compatibility

I want to clarify that I'm speaking from the perspective of the
application developer, not the client/browser.

I am of course in favor of implementing anything that helps from a
client perspective. Certainly, problems such as the cross-domain
issues with Flash et. al. should be addressed, since they disobey the
same-source restrictions already defined.

I think there are ways to work within the existing spec to solve most
of the problems we're dealing with. There are a lot of issues that
arise because we're trying to build these complex applications onto a
stateless protocol, but if the trend continues toward more SOA, then
we're dealing with mostly stateless transactions anyway, and we have
to learn how to cope with those at some point.

-j

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: anurag . agarwal
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: pdp (architect)

Prev by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by Date: [WEB SECURITY] WASC Announcement: 'WASSEC Project' Call for Participants
Previous by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site