Slashdot Mirror
Chrome Apes IE8, Adds Clickjacking, XSS Defenses
CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"
At that point you're already a man in the middle and can send whatever you want to the browser, why on earth would you need to exploit XSS vulnerabilities?
Believe me, it's used frequently enough for any fluent speaker in conversations, let alone native speakers. It's an old one, besides, I found it in a dictionary from the 1950s.
Every problem has a solution that is simple, easy and wrong. Selling our Liberty for a little Security is a much too de
Oh my god Chrome is copying IE by supporting for the http header X-Frame-Options that Microsoft wants web developers to start using. Don't they know you're supposed to invent your own browser-specific variation of what your opponent implements?
I also like how they mention Chrome added 5 security features but they only cover the 2 that are already in IE.
It's nice that all of the browsers are adding security features but can we cover one of them without focusing on who did what first?
I'm a native English speaker and it seems like a bizarre, stupid usage of the word to me. But then, Slashdot headline have always had trouble making sense.
== Jez ==
Do you miss Firefox? Try Pale Moon.
I hope the submitter realized that the only reason MS even bothered with any of this is thanks to them getting an ass pounding over the last few years for not giving a shit about security. Your welcome MS drones.
MS have never got the 'ass pounding' their security record has earned. If the security problems they cause cost them just 1% of what they cost their customers they would be bankrupt fairly quickly.
Software is weird, where else would you not be responsible for the faults in the products you sell?
...when Google goes ahead, tracks your every move, and sells it to the same crooks anyway?
(Not trolling here. As far as I heard, Google does track everything. And as far as I know, Google does sell that information to advertisers as its main business. Finally, as far as I know, those advertisers include all those spamming crooks and their friends.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Because if you were, you probably wouldn't be able to purchase the software as it'd be seriously more expansive than it is today.
Some 'adblocker detection' services may flag your client if they see you've downloaded the page, but not the associated ad content, so they know your browser isn't displaying the ad, but if the client does download it they have no way of knowing if it's being rendered or not, short of using a DOM-inspection script. With the exception of Flash video adverts, I've never had any bandwidth problems with banners, except for those off-site advert scripts that delay the page loading.
Your house is seriously insecure, even if you have a steel door and have window panes are made of bullet-proof glass, you probably live in a stick frame building where a drill and a sawz-all can gain me access to the interior in an hour or two. Yet no one seems to get excited about the insecurity of our houses.
When our houses get robbed, we recognize that the wrongdoing is being done by the criminal. Yet when our computers are hacked, we place the wrongdoing on the provider of the software.
I have never really understood why software is held to such lofty standards, particularly on consumer desktops. It would be one thing if file sharing of your entire filesystem was enabled by default in typical software, but lets be real- hacks these days require really clever methods to exploit systems, and if it wasn't for very intelligent, very dedicated people constantly pounding and poking our software, we wouldn't have to worry at all. Yet an uneducated teenager can break into a house in a few minutes with little more than a stick to break a window, and we seem to all go about our day without any outrage at all.
I just don't understand this.