Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Apes IE8, Adds Clickjacking, XSS Defenses

Posted by timothy on from the damn-dirty-apes dept.

CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"

10 of 90 comments (clear)

  1. Cross-site scripting by commlinx · · Score: 4, Interesting

    Recently I starting doing a bit of web development after being out of the loop for a while. I was working on a project and it was convenient to have the XHTML / JS running on my development machine while doing a few AJAX calls to my development server. After it failed at first I found I could add Access-Control-Allow-Origin: * to the HTTP header to allow cross-site access.

    It made we wonder if you wanted to exploit cross-site vulnerabilities couldn't you setup a proxy in the middle that returned information from the original site but added that to the header? Anyway just got me wondering and maybe someone more knowledgeable could comment on it.

    1. Re:Cross-site scripting by NNKK · · Score: 4, Insightful

      At that point you're already a man in the middle and can send whatever you want to the browser, why on earth would you need to exploit XSS vulnerabilities?

    2. Re:Cross-site scripting by TorKlingberg · · Score: 4, Informative

      If you are going to use Access-Control-Allow-Origin you should probably be aware that it is very new, and many browsers out there do not support it. Firefox added it in version 3.5.

  2. Dumb article by Undead+Waffle · · Score: 5, Insightful

    Oh my god Chrome is copying IE by supporting for the http header X-Frame-Options that Microsoft wants web developers to start using. Don't they know you're supposed to invent your own browser-specific variation of what your opponent implements?

    I also like how they mention Chrome added 5 security features but they only cover the 2 that are already in IE.

    It's nice that all of the browsers are adding security features but can we cover one of them without focusing on who did what first?

    1. Re:Dumb article by Robert+Zenz · · Score: 4, Insightful

      Google copies Microsoft. Google is showing no imagination. First their own OS, Browser and now security features that MS originally put in their browser.

      I didn't knew that MS invented operating systems and browsers, and when you write your own that you're copying from MS.

  3. Protection on other browsers by pmontra · · Score: 4, Informative

    This post of NoScript's author Giorgio Maone dates back to one year ago and goes into the details of X-Frame-Options. His point seems to be that if you have JavaScript enabled, there are well-known ways to achieve the same result, unless you use IE (they can be circumvented). If you don't have JS enabled, NoScript on Firefox is already giving you the same degree of protection. Anyway (this is me) adding that level of protection by default on all browsers looks a nice thing to have.

  4. Re:Chrome Apes? Moronic Monkies? by jez9999 · · Score: 3, Insightful

    I'm a native English speaker and it seems like a bizarre, stupid usage of the word to me. But then, Slashdot headline have always had trouble making sense.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  5. Re:Stay classy /. by 1s44c · · Score: 3, Insightful

    I hope the submitter realized that the only reason MS even bothered with any of this is thanks to them getting an ass pounding over the last few years for not giving a shit about security. Your welcome MS drones.

    MS have never got the 'ass pounding' their security record has earned. If the security problems they cause cost them just 1% of what they cost their customers they would be bankrupt fairly quickly.

    Software is weird, where else would you not be responsible for the faults in the products you sell?

  6. Re:Ads by mister_playboy · · Score: 5, Informative

    For users familiar with the ad-blocking in Firefox or Opera, Chrome's ad-blocking extensions are terrible in comparison. They don't render the ad, but they still waste bandwidth downloading it, negating half of their value.

    Chromium doesn't include a provision for real element blocking, so this issue would have to be dealt with in the browser itself, not just in the extensions.

    --
    Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
  7. Re:What's the need for all this security stuff... by Anonymous Coward · · Score: 4, Informative
    Add .google-analytics. to your AdblockPlus rules. Then install the Better Privacy extension. Finally, remove all existing cookies from Google and make sure that in future the permissions are set to 'Block'. Done, Google is not tracking you anymore.

    (I work at Google, hence posting as AC.)