Google is touting three new security features added to the latest version of its Chrome browser, including new protections against reflective cross-site scripting.
Google has beefed up the
latest version of its
Chrome
browser with new security protections designed to help developers build
secure Websites.
In Chrome 4, which was
released Jan. 25, Google added
three
new security features: strict transport security, cross-origin
communication with postMessage and reflective cross-site scripting (XSS)
protection.
Strict transport security
requires a browser to access a Website through a secure connection, such as
HTTPS.
"That means the browser
will always use HTTPS to connect to the site and will treat all HTTPS errors as
hard stops (instead of prompting the user to 'click through' certificate
errors)," blogged Adam Barth, a software engineer at Google. "This feature
strengthens the browser's defenses against attackers who control the network,
such as malicious folks disrupting the wireless network at a coffee shop."
Google is not the only one
implementing strict transport security. Firefox add-on NoScript has implemented
it as well, and have some
Websites
such as PayPal.
Google also added the
ability to use postMessage to communicate with Google Gadgets.
"The
postMessage API is a new HTML5 feature that
lets web developers establish a communication channel between frames in
different origins," Barth explained. "Previously, when you wanted to add a
gadget to your web page, you had two options: (1) include the gadget via a
script tag, or (2) embed the gadget using an iframe tag. ... postMessage changes
the game. By using postMessage to communicate with the gadget, you get the
security advantages of an iframe with all the interactivity of a script tag."
In addition, he said,
developers can use postMessage to create more secure versions of existing
gadgets.
The final new ingredient
to Google Chrome 4 is an experimental feature to address
reflective
cross-site scripting. The new XSS filter checks whether a script about to
run on a Web page is also present in the request that fetched that Web page-an
indication that the Web server may have been tricked into reflecting the
script.
Google integrated the
filter into WebKit, Chrome's rendering engine, so that the filter can catch
scripts right before they are executed and so it can be used by every
WebKit-based browser.
"The XSS filter is similar
to those found in Internet Explorer 8 and NoScript," Barth said. "We are aware
of a few ways to bypass the filter, but, on balance, we think that the filter
is providing enough benefit to enable it by default in this release."
Barth also touted Chrome's
clickjacking
protections as well as cross-site request forgery protection via
Origin Header.
The popularity of Chrome
is on the upswing. According to market research company Net Applications,
worldwide
use of Chrome grew to 4.63 percent in December, inching past Apple's Safari
browser but still far behind Microsoft Internet Explorer and
Mozilla Firefox.
Email
Print
