Introduction (Mozilla Archive)

Originally posted on blog.mozilla.org/ladamski on October 10, 2008

I want to help move the state of software security forward, especially web security.  Web developers currently are groaning under a load of patchwork security mitigations caused by the desire of browser & plugin developers to maintain compatibility with existing content while not really effectively supporting the rich applications of today and tomorrow.

I want to help move the state of software security forward, especially web security.  Web developers currently are groaning under a load of patchwork security mitigations caused by the desire of browser & plugin developers to maintain compatibility with existing content while not really effectively supporting the rich applications of today and tomorrow.

For example, all web applications are vulnerable to cross-site scripting and similar code injection attacks by default, unless painstakingly mitigated by the application or framework developers.  Cross-domain data loading currently relies on server-side proxies, script importing, or Flash.  Cross-site/inter-frame communication is likewise hokey and risk-prone.

Fortunately, things are starting to change for the better.  Access Control (http://www.w3.org/TR/access-control/) provides developers with native HTML methods for safely performing cross-site data loading while postMessage (http://developer.mozilla.org/en/DOM/window.postMessage) provides a mechanisms for frames from different sites to communicate securely.  Neither of these mechanisms is a fool-proof design, in the sense that misconfiguration could still result in a security vulnerability, but both are a tremendous improvement & and far safer than importing random scripts over HTTP.

In addition to designs largely finalized and in the process of being implemented in browsers, there are also a number of research efforts aimed at providing better mechanisms for addressing Cross-site Request Forgery (see the Origin header proposal located here: http://crypto.stanford.edu/websec/specs/origin-header), Cross-site Scripting mitigations (http://people.mozilla.org/~bsterne/content-security-policy), and content restrictions aka sandboxing (http://www.w3.org/html/wg/html5/#sandbox).

The above list is just a few examples of the initiatives brewing out there, and I will be digging into them in more detail in future posts.

Author: Lucas Adamski

20+ years in the bay area, with a diverse experience of leading hybrid software/hardware products, security, web platforms, devops and helping drive product. Diverse background from tiny startups to large corporations, lots of experience with distributed teams and building high trust cultures (and occasionally, failing to).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.