« Extensions and Firefox 3 - nsICookieService Behavior Change | Main | Google Chrome »

July 2, 2008

IE8 And XSS Protection

The IEBlog talks about a new IE8 feature that helps prevent some XSS attacks..

While quite interesting, I do wonder if the algorithm should be released as an W3C standard so that browser vendors and others can improve on it in an open fashion. Web apps may break because of this and if each vendor does it differently, this could be yet another pain for developers.

Posted by doron at July 2, 2008 8:17 PM

Trackback Pings

TrackBack URL for this entry:
http://weblogs.mozillazine.org/mt/track.cgi/12707

Listed below are links to weblogs that reference IE8 And XSS Protection:

» Levaquin 750mg side effects. from Levaquin side effects versus avelox side effects.
Levaquin side effects. Side effects of levaquin. [Read More]

Tracked on February 23, 2009 4:01 PM

» Degree education in master online program. from Free online training education insurance.
Online education program aib college of business. Independent online edition gt education. Online elementary education bachelors. Zunka online education directory. Online education. [Read More]

Tracked on May 2, 2009 11:32 AM

» Valium side effects. from Online valium.
Valium producer. Valium. [Read More]

Tracked on June 29, 2009 8:41 AM

Comments

Pretty interesting indeed, thanks for sharing. Unlike NoScript's "let's kill the web" approach, this one actually makes sense. Question is, however - will it work? They admit that they are only recognizing most common types of XSS attacks. But inserting a <script> tag is only most common because it is most simple - if the browsers implement an effective protection against that type of attack there are still lots of alternatives and lots of way to obfuscate the attack. And Internet Explorer just isn't updated often enough to keep up.

Would be interesting to try that in a Firefox extension - if I can find time.

Posted by: Wladimir Palant at July 2, 2008 10:17 PM

Wladimir is quite misinformed about NoScript's Anti-XSS protection: http://ha.ckers.org/blog/20080702/xssfilter-released/#comment-79984 .

In facts, IE8's XSS Filter actually "borrows" many concepts from NoScript: http://hackademix.net/2008/07/03/noscripts-anti-xss-filters-partially-ported-to-ie8/ .

Posted by: Giorgio Maone at July 6, 2008 9:13 AM

Hi,

just installed your Gmail Notifier, it's great, the only thing I miss is the possibility to open my account even when there's no new messages. So a new menu item "open Gmail account" would really be great :)

Posted by: user at July 10, 2008 5:15 AM

Post a comment




Remember Me?