Slashdot Mirror
Chrome Apes IE8, Adds Clickjacking, XSS Defenses
CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"
Anyone else getting flashbacks from Planet of the Apes?
Is that the new code name for the next version of Chrome? Ubuntu Panhandling Panda, now featuring Chrome Apes! Download now! Steve Balmer your Monkey Boy days are numbered, so dance while you can, it's the year of the Google Desktop.
These posts express my own personal views, not those of my employer
Recently I starting doing a bit of web development after being out of the loop for a while. I was working on a project and it was convenient to have the XHTML / JS running on my development machine while doing a few AJAX calls to my development server. After it failed at first I found I could add Access-Control-Allow-Origin: * to the HTTP header to allow cross-site access.
It made we wonder if you wanted to exploit cross-site vulnerabilities couldn't you setup a proxy in the middle that returned information from the original site but added that to the header? Anyway just got me wondering and maybe someone more knowledgeable could comment on it.
Oh my god Chrome is copying IE by supporting for the http header X-Frame-Options that Microsoft wants web developers to start using. Don't they know you're supposed to invent your own browser-specific variation of what your opponent implements?
I also like how they mention Chrome added 5 security features but they only cover the 2 that are already in IE.
It's nice that all of the browsers are adding security features but can we cover one of them without focusing on who did what first?
This post of NoScript's author Giorgio Maone dates back to one year ago and goes into the details of X-Frame-Options. His point seems to be that if you have JavaScript enabled, there are well-known ways to achieve the same result, unless you use IE (they can be circumvented). If you don't have JS enabled, NoScript on Firefox is already giving you the same degree of protection. Anyway (this is me) adding that level of protection by default on all browsers looks a nice thing to have.
I read it as "Chrome Apes, IE8 Adds Clickjacking"...
If Chrome can't block ads it's not ready for the internet. It doesn't matter what else it does and doesn't do, blocking stupid flashing graphics is the main function of web browsers these days.
I hope the submitter realized that the only reason MS even bothered with any of this is thanks to them getting an ass pounding over the last few years for not giving a shit about security. Your welcome MS drones.
MS have never got the 'ass pounding' their security record has earned. If the security problems they cause cost them just 1% of what they cost their customers they would be bankrupt fairly quickly.
Software is weird, where else would you not be responsible for the faults in the products you sell?
...when Google goes ahead, tracks your every move, and sells it to the same crooks anyway?
(Not trolling here. As far as I heard, Google does track everything. And as far as I know, Google does sell that information to advertisers as its main business. Finally, as far as I know, those advertisers include all those spamming crooks and their friends.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I have Adblock and a ton of other extensions working just fine in Chrome. Just use the testing / developer streams which have plugin support.
Your house is seriously insecure, even if you have a steel door and have window panes are made of bullet-proof glass, you probably live in a stick frame building where a drill and a sawz-all can gain me access to the interior in an hour or two. Yet no one seems to get excited about the insecurity of our houses.
When our houses get robbed, we recognize that the wrongdoing is being done by the criminal. Yet when our computers are hacked, we place the wrongdoing on the provider of the software.
I have never really understood why software is held to such lofty standards, particularly on consumer desktops. It would be one thing if file sharing of your entire filesystem was enabled by default in typical software, but lets be real- hacks these days require really clever methods to exploit systems, and if it wasn't for very intelligent, very dedicated people constantly pounding and poking our software, we wouldn't have to worry at all. Yet an uneducated teenager can break into a house in a few minutes with little more than a stick to break a window, and we seem to all go about our day without any outrage at all.
I just don't understand this.
It's not like they are showing tweets with the comments...
Please don't give them any ideas!
Do what thou wilt shall be the whole of the Law
In large part because, as you point out, it's impossible to make a house physically secure (although security guards can hypothetically do a good job). Similarly, it's impossible to make a computer physically secure (after all, it's in a house or building and those security guards still aren't perfect). Meanwhile, software, being a virtual good, can actually provide absolute security within the confines of the computer that runs it being physically secure. Hence, there's a higher standard held on software.
No. In both situations, the wrongdoers are the criminals. The issue comes to the point, really, of whether any blame can be put upon the constructor of your house (or its parts) and the constructor of your computer (or its parts). For homes, if someone sold a lock that, as sold, should be reasonably able to stop being hacksawed through was in fact hacksawed through, you'd still have reason to blame the lock maker. Similarly, software that is clearly defective against what it reasonably should block would leave blame upon the software maker. The issue, then, is merely that Microsoft (and most software makers) regularly admit their software is faulty (the need for Windows Update). The only real thing left, then, is to point out that Microsoft has such a poor reputation, no person should reasonably expect their software to be secure; if that's your position, I agree that blame is being badly cast on Microsoft.
Again, software can be actually made secure. Most the "easy" exploits have been fixed because they are actually fixable. There's nothing you can do to prevent a teenager from being able to break into a house (well, not legally, anyways); you can in many states/areas shoot the teenager after they enter. The comparison is rather apple and oranges.
Eurohacker European paranoia, gun rights, and h