Robert O'Callahan wrote in mozilla.dev.planning: > There are some posts in the IE blog about IE8 security features. > http://blogs.msdn.com/ie/ > Most of it is just trying to catch up to Firefox 3. Three things that > we might want to look at, though: > 1) A window.toStaticHTML DOM method to sanitize HTML to remove > executable content > 2) Web-accessible JSON API (is this going to make 3.1?) > 3) Some kind of dynamic anti-XSS filter that monitors browser traffic > and blocks stuff. Not many details about that yet.
This latter is an interesting idea, but it sounds to me like a recipe for hard-to-understand breakage and bugs, particularly if ours works differently to theirs. I'd be interested in closer analysis of what proportion of attacks this might address, and whether we can immediately think of ways attackers could break it. Does anyone have more info, or comments on their approach? The doc is here: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
