Browsers to spell the end of XSS?

Date July 2, 2008

Congrats to RSnake for working the the ’softies and breaking the news that IE8 will have anti-XSS technology built into the browser.

This is really very cool, and as RSnake says, a big step in the right direction – programmers will always make mistakes, and any methods we can help protect against buggy software from being exploited (even if only temporarily) is a benefit.

I’ve been doing some research for an upcomming talk, and I must say though that mozilla’s proposal for a Site Security Policy goes a step beyond this.  The negatives are that a) it’s an incomplete add-in, whereas the IE guys have hard plans (and code it seems) to incorporate XSS protection in the next version they ship, and b) that developers have to actually set the policy or it defaults to no protection (whereas IE will always provide some, even if it is not “full”).  I really like the ability to say that “I’m not going to have any executable JS in this page”, and “If I do have JS, it’s going to be delivered from here” – totally removes the potential for the browser to load “untrusted” code.

What I really hope is that both browsers put their differences aside on who created what, or who supports what, and actually implement both solutions in a cross platform way.  If that happens, we very may well say goodbye to one of the most prevalent webapp vulnerabilities and the web will me a much safer place for people in general.

[EditToAdd] Found this blog post that details the additional security features IE8 is going to have.  Looks pretty cool

Category Posted in Security


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>