Browser security handbook
Tuesday, 16. December 2008, 21:25:28
If you are interested in web browsers or web pages ( - if you aren't, what are you doing reading my blog?? - ) and haven't seen Michal Zalewski's Browser Security Handbook, you should have a look. It is a very impressive resource!
(Some of the Opera-related information needs corrections. For example, Opera also uses an IDNA TLD whitelist though the page claims we always show such domains with their intended characters. Also, the list is among Opera's downloadable settings so we can easily add and remove top level domains if registrars change their policies or do not follow them correctly. Another example is where they claim Opera allows XMLHttpRequest with any random verb - no, we silently convert unknowns to GET, which is probably a very stupid thing to do and will probably be fixed to do something more sensible when we or the spec authors figure out what that should be.)
I'm not through everything yet, and I have already nagged developers about issues we should investigate or fix. Seeing those tables comparing browser policies on security-sensitive issues is really an eye-opener sometimes.
On a side note, it's nice that Google security researcher Chris Evans gives Opera "some serious credit" on getting CANVAS security right, and the IE blog mentions Opera's site patching as a precursor to their downloadable list of sites to show in compatibility view. (I guess they didn't even know that one of the settings we can force for a specific site through override_downloaded.ini is whether to show it in quirks or standards mode.) Nothing like some peer recognition of our work
(Some of the Opera-related information needs corrections. For example, Opera also uses an IDNA TLD whitelist though the page claims we always show such domains with their intended characters. Also, the list is among Opera's downloadable settings so we can easily add and remove top level domains if registrars change their policies or do not follow them correctly. Another example is where they claim Opera allows XMLHttpRequest with any random verb - no, we silently convert unknowns to GET, which is probably a very stupid thing to do and will probably be fixed to do something more sensible when we or the spec authors figure out what that should be.)
I'm not through everything yet, and I have already nagged developers about issues we should investigate or fix. Seeing those tables comparing browser policies on security-sensitive issues is really an eye-opener sometimes.
On a side note, it's nice that Google security researcher Chris Evans gives Opera "some serious credit" on getting CANVAS security right, and the IE blog mentions Opera's site patching as a precursor to their downloadable list of sites to show in compatibility view. (I guess they didn't even know that one of the settings we can force for a specific site through override_downloaded.ini is whether to show it in quirks or standards mode.) Nothing like some peer recognition of our work
WIDGETIZE
kyleabaker # 16. December 2008, 22:30
mabdul # 17. December 2008, 18:21
hallvors # 17. December 2008, 20:41
The way they are going with this I wouldn't be surprised if they also implemented some way a site could say "oh, don't apply the mode from the automated list" to cover cases where web developers solve the problem but run into new issues because now the rendering mode is wrong #-p.
The great thing about browser.js is that fixes can be almost as granular as you wish. If the site just expects its built-in custom document.getElementByClassName() but yet doesn't overwrite ours we don't need to switch to using the Opera 8 engine or JavaScript mode or anything - we can just quietly drop that specific method before running the page script that will redefine it. The mode switches IE8 is implementing are heavy-handed in comparison.. If they could do something more granular it would be terribly complex but also possibly more friendly to web developers who try to correct their errors.
_Grey_ # 17. December 2008, 21:31
hallvors # 18. December 2008, 23:43