Browser security handbook

If you are interested in web browsers or web pages ( – if you aren't, what are you doing reading my blog?? – ) and haven't seen Michal Zalewski's Browser Security Handbook, you should have a look. It is a very impressive resource!

(Some of the Opera-related information needs corrections. For example, Opera also uses an IDNA TLD whitelist though the page claims we always show such domains with their intended characters. Also, the list is among Opera's downloadable settings so we can easily add and remove top level domains if registrars change their policies or do not follow them correctly. Another example is where they claim Opera allows XMLHttpRequest with any random verb – no, we silently convert unknowns to GET, which is probably a very stupid thing to do and will probably be fixed to do something more sensible when we or the spec authors figure out what that should be.)

I'm not through everything yet, and I have already nagged developers about issues we should investigate or fix. Seeing those tables comparing browser policies on security-sensitive issues is really an eye-opener sometimes.

On a side note, it's nice that Google security researcher Chris Evans gives Opera "some serious credit" on getting CANVAS security right, and the IE blog mentions Opera's site patching as a precursor to their downloadable list of sites to show in compatibility view. (I guess they didn't even know that one of the settings we can force for a specific site through override_downloaded.ini is whether to show it in quirks or standards mode.) Nothing like some peer recognition of our work 😎


5 thoughts on “Browser security handbook

  1. I would like to see Internet Explorer do something like browser.js rather than just make a list containing about 95% of current websites to be shown in quirks mode. Sure that would be a lot of work for them to find all of the site that they handle incorrectly, but it would be a great way to push a better engine and remind site owners that they need to do their part and code better.

  2. I think something like browser.js wouldn't scale very well for them – their compatibility challenges right now are probably much larger than Opera's, actually!The way they are going with this I wouldn't be surprised if they also implemented some way a site could say "oh, don't apply the mode from the automated list" to cover cases where web developers solve the problem but run into new issues because now the rendering mode is wrong #-p.The great thing about browser.js is that fixes can be almost as granular as you wish. If the site just expects its built-in custom document.getElementByClassName() but yet doesn't overwrite ours we don't need to switch to using the Opera 8 engine or JavaScript mode or anything – we can just quietly drop that specific method before running the page script that will redefine it. The mode switches IE8 is implementing are heavy-handed in comparison.. If they could do something more granular it would be terribly complex but also possibly more friendly to web developers who try to correct their errors.

  3. @hallvors: Their x-ua-compatible (or whatever it's called) setting overrides any list entries. So if a site requests a certain behavior, it'll get it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s