Thursday, June 12th, 2008

TLS Report: Best and Worst Security Charts

Category: Security

The TLS Report is a new site that Benjamin Black has put together to watch over the security of major sites on the internet. There have been services that watch the top sites for various statistics, but not security. The best and worst list has some surprises, namely: Best:, good to see a bank Read the rest…

Posted by Dion Almaer at 7:04 am

3.2 rating from 25 votes

Thursday, May 22nd, 2008

crossdomain.xml misconfigurations galore

Category: Security

Jeremiah Grossman took a fresh look at crossdomain.xml usage and decided to see which top domains had lenient policies in their files, which is now published and updated. Why is this important? This week I took a renewed interest in crossdomain.xml. For those unfamiliar this is Flash’s opt-in policy file that extends the same-origin policy Read the rest…

Posted by Dion Almaer at 7:23 am
Comment here

3.2 rating from 11 votes

Tuesday, May 13th, 2008

What’s in a

Category: Security

Sometimes it is interesting to see that knowledge from the 10,000 B.C. period of web development can be used in new ways to create – to play it safely – interesting ideas. Each window in a browser has a name property which became pretty much useless when we stopped using pop-up windows and tried to Read the rest…

Posted by Chris Heilmann at 10:06 am

4.3 rating from 31 votes

Thursday, April 17th, 2008

Fingerprint: A print for your typing

Category: JavaScript, Security

Do you type the same way consistently? Say, if you put in your username and password? Marcus Westin has created a little jQuery plugin that measures a finger print based on your typing style, Fingerprint. Easy to use: < View plain text > javascript $(‘#form’).fingerprint(); This automatically injects hidden fields with names ‘timestamp-down’ and ‘timestamp-up’ Read the rest…

Posted by Dion Almaer at 10:44 am

3.2 rating from 14 votes

Thursday, April 10th, 2008

IE 8 Security Updates

Category: Browsers, IE, Security

Microsoft has put out a set of security updates, and one of them is discussed in a post IE8 Security Part I: DEP/NX Memory Protection. Over the next several weeks, we’ll blog in greater detail about some of the security improvements in Beta 1, such as the new Safety Filter, greater control over ActiveX controls, Read the rest…

Posted by Dion Almaer at 7:43 am
Comment here

3.4 rating from 9 votes

Monday, April 7th, 2008

window.crypto: want crypto primitives in the browser? You may already have it

Category: Browsers, Firefox, Security

It seems to make sense to add crypto helpers to the browser, for use by us, the humble JavaScript developer. I have called out to this in the past and people bring it up often on various lists. Brad Neuberg found that Gecko actually has built-in crypt primitives via window.crypto! Mozilla defines a special JavaScript Read the rest…

Posted by Dion Almaer at 7:21 am

2.9 rating from 17 votes

Monday, March 31st, 2008

Using a hash property for security and caching

Category: Performance, Security

Douglas Crockford would like to see a hash= attribute to aid security and performance: Any HTML tag that accepts a src= or href= attribute should also be allowed to take a hash= attribute. The value of a hash attribute would be the base 32 encoding of the SHA of the object that would be retrieved. Read the rest…

Posted by Dion Almaer at 8:35 am

4.3 rating from 22 votes

Thursday, March 20th, 2008

OpenID and OAuth in the browser?

Category: Browsers, Gears, Security

Originally posted on my personal tech blog When I was looking over Brad Neuberg’s Paper Airplane thought experiment I noticed the single sign on feature, where you login to the browser, and then you are done. I realized that this is what I actually want. Having one signon via OpenID is really nice. It allows Read the rest…

Posted by Dion Almaer at 8:59 am

4.1 rating from 35 votes

Friday, February 29th, 2008

xssinterface: cross domain access using postMessage and more

Category: JavaScript, Security

Malte Ubl has put together a library called xssinterface (somewhat scary name) that uses postMessage when available, and tries work-arounds when not, to give you cross domain JavaScript access. How it works For Browsers that support it, we use the postMessage() interface. For all other browsers, we use the following mechanism: All sites that participate Read the rest…

Posted by Dion Almaer at 8:14 am

3.8 rating from 12 votes

Wednesday, February 13th, 2008

Is easy implementation the same as good code?

Category: Accessibility, Examples, JavaScript, Security, Unobtrusive JS

I’ve just come across a solution for badges on web sites that makes it terribly easy for implementers. The idea is that the implementer could add a badge wherever they want in an HTML document, choose the look and feel and add a message to be shown. The implementation code is the following: < View Read the rest…

Posted by Chris Heilmann at 7:45 am

3.2 rating from 26 votes

Thursday, February 7th, 2008

Security Focus: JavaScript Global Namespace Pollution

Category: JavaScript, Security

Security should always be a concern when developing client-side applications as time and time again, sites have been compromised by a lack for forethought into how users, especially malicious ones, interact with your site. is an excellent site for staying abreast of new security exploits and the team constantly pushes the boundaries of how Read the rest…

Posted by Rey Bango at 10:31 am

3.5 rating from 12 votes

Thursday, January 31st, 2008

Secure String Interpolation in JavaScript

Category: JavaScript, Library, Security

Mike Samuel of the Google Caja team (and much more) has a fantastically detailed document on the choices for secure String interpolation in JavaScript. He spends a lot of time discussing: Cataloging the most common vulnerabilities Various alternatives such as templating, DOM manipulation, and tainting Goals and Non-Goals Design and Implementation Benchmarking the choices There Read the rest…

Posted by Dion Almaer at 10:46 am

3.7 rating from 25 votes

Wednesday, January 30th, 2008

Book Review: Ajax Security by Billy Hoffman

Category: Ajax, Book Reviews, Security

Brian Dillard of Agile Ajax has a review of Billy Hoffman’s new book “Ajax Security“. If you’ve not picked this book up, you really need to. It’s received rave reviews and is quickly becoming the must-have security book for client-side development. As Brian can attest: The book itself, of course, documents dozens more specific security Read the rest…

Posted by Rey Bango at 6:00 am

4.5 rating from 13 votes

Sunday, January 20th, 2008

Dangers of Remote Scripting

Category: Security, Widgets

O’Reilly Radar comments on the dangers of remote scripting: We at O’Reilly just got bit on, which redirected to a porn site courtesy a piece of remotely-included Javascript. One of our advertisers was using an ads system that required our pages to load Javascript from their site. It only took three things to turn Read the rest…

Posted by Michael Mahemoff at 7:02 am

3.6 rating from 32 votes

Monday, January 14th, 2008

HTML Purifier 3.0

Category: Library, PHP, Security

HTML Purifier 3.0 has been released. What is HTML Purifier? HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable Read the rest…

Posted by Dion Almaer at 6:08 am

3.8 rating from 30 votes

Thursday, January 10th, 2008

Cross-Site XMLHttpRequest in Firefox 3

Category: Security, XmlHttpRequest

John Resig has written up documentation of Cross-Site XMLHttpRequest that discusses the W3C Access Control working draft which Firefox 3 implements. He gives us a nice example: In a nutshell, there are two techniques that you can use to achieve your desired cross-site-request result: Specifying a special Access-Control header for your content or including an Read the rest…

Posted by Dion Almaer at 12:29 pm

4.1 rating from 35 votes