ISWG Open Letters to Browsers - Revision history

Arshan: ISWG Open Letters to ISWG moved to ISWG Open Letters to Browsers: typo in title

2009-02-12T14:48:50Z

ISWG Open Letters to ISWG moved to ISWG Open Letters to Browsers: typo in title

Arshan at 14:48, 12 February 2009

2009-02-12T14:48:24Z

Arshan at 14:48, 12 February 2009

2009-02-12T14:48:04Z

Arshan: putting 2nd edit of letter on site

2009-02-12T14:46:07Z

putting 2nd edit of letter on site

New page

The OWASP Foundation is deeply concerned about the risk associated with increasingly useful and powerful browsers. We are seeking to support the browser vendors with research, resources, and ideas. At our recent Summit in Portugal, OWASP's Intrinsic Security Working Group (ISWG) met to discuss the key security challenges in browsers. The ISWG is a group of web application security specialists that contribute their time to OWASP to try to make the Internet a safer place.

We'd like to identify practical solutions to some of the security issues that could affect security of both browser users and organizations with web applications. The following recommendations are some initial ideas we'd like to help get implemented. We selected these ideas as good starting points because they are either relatively simple to implement or they offer a great deal of protection.

The first protection the ISWG recommends browsers implement is the HTTPOnly flag. The majority of major browsers currently offer some level of protection when applications use the HTTPOnly flag. Unfortunately, because the implementations are not complete, it is still possible under certain circumstances to bypass the mechanism. When this flag is turned on, JavaScript should not be able to read or write to the cookie object in the page's DOM. Also, it is possible to read cookie data from XmlHttpRequest response data even with HTTPOnly on. Ideally, no JavaScript could access or modify any cookie data from a cookie with the HTTPOnly flag.

The second protection the ISWG is recommending is to disable "autocomplete" features within cross-domain iframes. Browser users utilize this feature so they don't have to remember passwords for multiple sites or save themselves the effort of repeatedly typing in the same credentials. If a browser automatically populates a login form for a site the user trusts, an attacker can trick the user into clicking the "login" button and execute fully authenticated functionality on the attacker's behalf with the victim's credentials.

The final protection the ISWG is recommending is to implement of "jail" tags. Jail tags could allow applications to reliably mark pieces of the page where untrusted user input appears without introducing any risk of cross-site scripting. The future of the web is more inter-connectivity and more user content, so the need for this type of protection is critical.

Thanks for your time,
OWASP Intrinsic Security Working Group
http://www.owasp.org/

@@ Line 10: / Line 10: @@
 Thanks for your time,<br>
-OWASP Intrinsic Security Working Group>br?
+OWASP Intrinsic Security Working Group<br>
 http://www.owasp.org/

@@ Line 1: / Line 1: @@
-The OWASP Foundation is deeply concerned about the risk associated with increasingly useful and powerful browsers. We are seeking to support the browser vendors with research, resources, and ideas.  At our recent Summit in Portugal, OWASP's Intrinsic Security Working Group (ISWG) met to discuss the key security challenges in browsers.  The ISWG is a group of web application security specialists that contribute their time to OWASP to try to make the Internet a safer place.
+The OWASP Foundation is deeply concerned about the risk associated with increasingly useful and powerful browsers. We are seeking to support the browser vendors with research, resources, and ideas.  At our recent Summit in Portugal, OWASP's Intrinsic Security Working Group (ISWG) met to discuss the key security challenges in browsers.  The ISWG is a group of web application security specialists that contribute their time to OWASP to try to make the Internet a safer place.<BR><br>
-We'd like to identify practical solutions to some of the security issues that could affect security of both browser users and organizations with web applications.  The following recommendations are some initial ideas we'd like to help get implemented. We selected these ideas as good starting points because they are either relatively simple to implement or they offer a great deal of protection.
+The first protection the ISWG recommends browsers implement is the HTTPOnly flag. The majority of major browsers currently offer some level of protection when applications use the HTTPOnly flag. Unfortunately, because the implementations are not complete, it is still possible under certain circumstances to bypass the mechanism. When this flag is turned on, JavaScript should not be able to read or write to the cookie object in the page's DOM. Also, it is possible to read cookie data from XmlHttpRequest response data even with HTTPOnly on. Ideally, no JavaScript could access or modify any cookie data from a cookie with the HTTPOnly flag.<BR><br>
-The first protection the ISWG recommends browsers implement is the HTTPOnly flag. The majority of major browsers currently offer some level of protection when applications use the HTTPOnly flag. Unfortunately, because the implementations are not complete, it is still possible under certain circumstances to bypass the mechanism. When this flag is turned on, JavaScript should not be able to read or write to the cookie object in the page's DOM. Also, it is possible to read cookie data from XmlHttpRequest response data even with HTTPOnly on. Ideally, no JavaScript could access or modify any cookie data from a cookie with the HTTPOnly flag.
+The second protection the ISWG is recommending is to disable "autocomplete" features within cross-domain iframes. Browser users utilize this feature so they don't have to remember passwords for multiple sites or save themselves the effort of repeatedly typing in the same credentials. If a browser automatically populates a login form for a site the user trusts, an attacker can trick the user into clicking the "login" button and execute fully authenticated functionality on the attacker's behalf with the victim's credentials.<BR><br>
-The second protection the ISWG is recommending is to disable "autocomplete" features within cross-domain iframes. Browser users utilize this feature so they don't have to remember passwords for multiple sites or save themselves the effort of repeatedly typing in the same credentials. If a browser automatically populates a login form for a site the user trusts, an attacker can trick the user into clicking the "login" button and execute fully authenticated functionality on the attacker's behalf with the victim's credentials.
+The final protection the ISWG is recommending is to implement of "jail" tags. Jail tags could allow applications to reliably mark pieces of the page where untrusted user input appears without introducing any risk of cross-site scripting. The future of the web is more inter-connectivity and more user content, so the need for this type of protection is critical.<BR><br>
-The final protection the ISWG is recommending is to implement of "jail" tags. Jail tags could allow applications to reliably mark pieces of the page where untrusted user input appears without introducing any risk of cross-site scripting. The future of the web is more inter-connectivity and more user content, so the need for this type of protection is critical.
+Thanks for your time,<br>
+OWASP Intrinsic Security Working Group>br?
 http://www.owasp.org/

← Older revision	Revision as of 14:48, 12 February 2009
(No difference)