IT Trenches

Apr 29 2009   1:02PM GMT

Google has published a browser security handbook for developers

Troy Tate Profile: Troy Tate

If you develop websites or manage webservices, then you should check out the Browser Security Handbook that Google publishes on their website. The Browser Security Handbook currently has three sections:

Part 1: Basic concepts behind web browsers

  • Uniform Resource Locators
    • Unicode in URLs
  • True URL schemes
  • Pseudo URL schemes
  • Hypertext Transfer Protocol
  • Hypertext Markup Language
    • HTML entity encoding
  • Document Object Model
  • Browser-side Javascript
    • Javascript character encoding
  • Other document scripting languages
  • Cascading stylesheets
    • CSS character encoding
  • Other built-in document formats
  • Plugin-supported content

Part 2: Standard browser security features

  • Same-origin policy
    • Same-origin policy for DOM access
    • Same-origin policy for XMLHttpRequest
    • Same-origin policy for cookies
    • Same-origin policy for Flash
    • Same-origin policy for Java
    • Same-origin policy for Silverlight
    • Same-origin policy for Gears
    • Origin inheritance rules
    • Cross-site scripting and same-origin policies
  • Life outside same-origin rules
    • Navigation and content inclusion across domains
    • Arbitrary page mashups (UI redressing)
    • Gaps in DOM access control
    • Privacy-related side channels
  • Various network-related restrictions
    • Local network / remote network divide
    • Port access restrictions
    • URL scheme access rules
    • Redirection restrictions
    • International Domain Name checks
    • Simultaneous connection limits
  • Third-party cookie rules
  • Content handling mechanisms
    • Survey of content sniffing behaviors
    • Downloads and Content-Disposition
    • Character set handling and detection
    • Document caching
  • Defenses against disruptive scripts
    • Popup and dialog filtering logic
    • Window appearance restrictions
    • Execution timeouts and memory limits
    • Page transition logic
  • Protocol-level encryption facilities

Part 3: Experimental and legacy security mechanisms

  • HTTP authentication
  • Name look-ahead and content prefetching
  • Password managers
  • Microsoft Internet Explorer zone model
  • Microsoft Internet Explorer frame restrictions
  • Mozilla and Safari HTML5 storage experiments
  • Microsoft Internet Explorer XSS filtering
  • Script restriction frameworks
  • Origin headers
  • Mozilla content security policies

This is a good resource for developers and administrators to understand browser & web security considerations.

Thanks for reading and let’s continue to be good network citizens.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: