January/February 2018 issue of acmqueue

The January/February issue of acmqueue is out now

Web Security

  Download PDF version of this article PDF

ITEM not available


Originally published in Queue vol. 10, no. 11
see this item in the ACM Digital Library



(newest first)

Cris Perdue | Thu, 07 Mar 2013 17:47:53 UTC

Thanks for the lively discussion of practical issues in browser security. I especially appreciate the comments on Convergence, "Do Not Track", and clickjacking, in addition to the overview of the area.

I have a question related to same-origin policy. A lot of browser security, and privacy, issues I am aware of are most readily enabled by cross-site request capabilities of browsers, and this appears to me to include clickjacking as well as intranet hacking and browser-based cross-site user tracking.

My question is, if a page were in a mode that prohibited all cross-site requests, wouldn't that eliminate several classes of browser vulnerabilities? I picture this being done by an HTML header, and would apply to everything in the page, including scripts, images, frames, and so on. This mode could have a clear visible indicator in the browser's UI, much as SSL does today.

I see it as a way for the operators of a web site to take fuller responsibility for the content and functioning of pages, which seems like something interested users could fairly easily understand and appreciate, along the lines of "all content served by [web site operator]". This seems like a more than reasonable expectation to have of commercial services such as shopping and financial sites.

Presumably execution of JavaScript, say from an in-browser debugger or a bookmarklet, would be permitted, but irrevocably remove the mode from the page.

Thank you, Cris Perdue

Leave this field empty

Post a Comment:

© 2018 ACM, Inc. All Rights Reserved.