ISWG Open Letter to Browsers
To all browser vendors,
The OWASP Foundation is deeply concerned about the risk associated with increasingly powerful browsers. We are seeking to support browser vendors with research, resources, and ideas about how to navigate around the many security challenges we face on the web. At our recent Summit in Portugal, OWASP's Intrinsic Security Working Group (ISWG) met to discuss the key security challenges at the various intersections of web applications and browsers. The ISWG is a group of web application security specialists that contribute their time to OWASP to try to make building secure web applications easier.
We’re hoping to work to identify some practical solutions to some of the security issues that could affect security of both browser users and organizations with web applications. The following recommendations are some initial ideas we’d like to help get implemented. We selected a few of these ideas as good starting points because they are either simple to implement or because they offer a critical protection that is needed today.
• The second protection the ISWG is recommending is the disabling of "autocomplete" features within cross-domain iframes. Browser users utilize the autocomplete feature so they don't have to remember passwords for multiple sites or save themselves the effort of repeatedly typing in the same credentials. However, the recently publicized "clickjacking" technique has enabled attackers to trick users into clicking "past" a benign looking page and into a site that they trust. If a browser automatically populates a login form for a site the user trusts, an attacker can force the user to click the "login" button and further execute fully authenticated functionality on the attacker's behalf.
We thank you for your consideration of these issues, and hope to work with any interested parties in furthering the security of browsers and web applications at the building block level.
OWASP Intrinsic Security Working Group