IT Trenches » Chrome http://itknowledgeexchange.techtarget.com/it-trenches Fri, 19 Nov 2010 14:37:59 +0000 en-US hourly 1 Google has published a browser security handbook for developers http://itknowledgeexchange.techtarget.com/it-trenches/google-has-published-a-browser-security-handbook-for-developers/ http://itknowledgeexchange.techtarget.com/it-trenches/google-has-published-a-browser-security-handbook-for-developers/#comments Wed, 29 Apr 2009 13:02:55 +0000 Troy Tate http://itknowledgeexchange.techtarget.com/it-trenches/google-has-published-a-browser-security-handbook-for-developers/ If you develop websites or manage webservices, then you should check out the Browser Security Handbook that Google publishes on their code.google.com website. The Browser Security Handbook currently has three sections:

Part 1: Basic concepts behind web browsers

  • Uniform Resource Locators
    • Unicode in URLs
  • True URL schemes
  • Pseudo URL schemes
  • Hypertext Transfer Protocol
  • Hypertext Markup Language
    • HTML entity encoding
  • Document Object Model
  • Browser-side Javascript
    • Javascript character encoding
  • Other document scripting languages
  • Cascading stylesheets
    • CSS character encoding
  • Other built-in document formats
  • Plugin-supported content

Part 2: Standard browser security features

  • Same-origin policy
    • Same-origin policy for DOM access
    • Same-origin policy for XMLHttpRequest
    • Same-origin policy for cookies
    • Same-origin policy for Flash
    • Same-origin policy for Java
    • Same-origin policy for Silverlight
    • Same-origin policy for Gears
    • Origin inheritance rules
    • Cross-site scripting and same-origin policies
  • Life outside same-origin rules
    • Navigation and content inclusion across domains
    • Arbitrary page mashups (UI redressing)
    • Gaps in DOM access control
    • Privacy-related side channels
  • Various network-related restrictions
    • Local network / remote network divide
    • Port access restrictions
    • URL scheme access rules
    • Redirection restrictions
    • International Domain Name checks
    • Simultaneous connection limits
  • Third-party cookie rules
  • Content handling mechanisms
    • Survey of content sniffing behaviors
    • Downloads and Content-Disposition
    • Character set handling and detection
    • Document caching
  • Defenses against disruptive scripts
    • Popup and dialog filtering logic
    • Window appearance restrictions
    • Execution timeouts and memory limits
    • Page transition logic
  • Protocol-level encryption facilities

Part 3: Experimental and legacy security mechanisms

  • HTTP authentication
  • Name look-ahead and content prefetching
  • Password managers
  • Microsoft Internet Explorer zone model
  • Microsoft Internet Explorer frame restrictions
  • Mozilla and Safari HTML5 storage experiments
  • Microsoft Internet Explorer XSS filtering
  • Script restriction frameworks
  • Origin headers
  • Mozilla content security policies

This is a good resource for developers and administrators to understand browser & web security considerations.

Thanks for reading and let’s continue to be good network citizens.

]]> http://itknowledgeexchange.techtarget.com/it-trenches/google-has-published-a-browser-security-handbook-for-developers/feed/ 0