Chrome Apes IE8, Adds Clickjacking, XSS Defenses

CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"

Cross-site scripting

[commlinx]

Recently I starting doing a bit of web development after being out of the loop for a while. I was working on a project and it was convenient to have the XHTML / JS running on my development machine while doing a few AJAX calls to my development server. After it failed at first I found I could add Access-Control-Allow-Origin: * to the HTTP header to allow cross-site access.

It made we wonder if you wanted to exploit cross-site vulnerabilities couldn't you setup a proxy in the middle that returned information from the original site but added that to the header? Anyway just got me wondering and maybe someone more knowledgeable could comment on it.