Google Chrome 4 Bolsters Browser Security with New Features

Google is touting three new security features added to the latest version of its Chrome browser, including new protections against reflective cross-site scripting.

Google has beefed up the latest version of its Chrome browser with new security protections designed to help developers build secure Websites.

In Chrome 4, which was released Jan. 25, Google added three new security features: strict transport security, cross-origin communication with postMessage and reflective cross-site scripting (XSS) protection.

Strict transport security requires a browser to access a Website through a secure connection, such as HTTPS.

"That means the browser will always use HTTPS to connect to the site and will treat all HTTPS errors as hard stops (instead of prompting the user to 'click through' certificate errors)," blogged Adam Barth, a software engineer at Google. "This feature strengthens the browser's defenses against attackers who control the network, such as malicious folks disrupting the wireless network at a coffee shop."

Google is not the only one implementing strict transport security. Firefox add-on NoScript has implemented it as well, and have some Websites such as PayPal.

Google also added the ability to use postMessage to communicate with Google Gadgets.

"The postMessage API is a new HTML5 feature that lets web developers establish a communication channel between frames in different origins," Barth explained. "Previously, when you wanted to add a gadget to your web page, you had two options: (1) include the gadget via a script tag, or (2) embed the gadget using an iframe tag. ... postMessage changes the game. By using postMessage to communicate with the gadget, you get the security advantages of an iframe with all the interactivity of a script tag."

In addition, he said, developers can use postMessage to create more secure versions of existing gadgets.

The final new ingredient to Google Chrome 4 is an experimental feature to address reflective cross-site scripting. The new XSS filter checks whether a script about to run on a Web page is also present in the request that fetched that Web page-an indication that the Web server may have been tricked into reflecting the script.

Google integrated the filter into WebKit, Chrome's rendering engine, so that the filter can catch scripts right before they are executed and so it can be used by every WebKit-based browser.

"The XSS filter is similar to those found in Internet Explorer 8 and NoScript," Barth said. "We are aware of a few ways to bypass the filter, but, on balance, we think that the filter is providing enough benefit to enable it by default in this release."

Barth also touted Chrome's clickjacking protections as well as cross-site request forgery protection via Origin Header.

The popularity of Chrome is on the upswing. According to market research company Net Applications, worldwide use of Chrome grew to 4.63 percent in December, inching past Apple's Safari browser but still far behind Microsoft Internet Explorer and Mozilla Firefox.