Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Browser Security
Posted by: p0deje
Date: April 18, 2010 09:00AM

As long as I didn't find any resource about all browser security opportunities, I want to collect all possible information within this thread.

Question is: How can website developer mitigate webapp vulnerabilities using browsers' security models?

That's what I've found.

-- XSS --
1. X-Content-Security-Policy HTTP header. Supported by Firefox 3.? https://wiki.mozilla.org/Security/CSP/Spec
2. X-XSS-Protection HTTP header. Supported by IE8 and only for disabling http://blogs.msdn.com/mikeormond/archive/2009/01/26/ie8-cross-site-scripting-xss-protection.aspx

-- CSRF --
1. Origin HTTP header. Supported by Chrome and Firefox 3.? https://wiki.mozilla.org/Security/Origin

-- Clickjacking --
1. X-Frame-Options HTTP header. Supported by IE8, Chrome, Firefox + NoScript, Safari http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

I'm not sure about versions of Firefox.
What else can be added there?

---------
http://p0deje.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.