"Gervase Markham" <[EMAIL PROTECTED]> wrote in message * news:<[EMAIL PROTECTED]>*<news:<[EMAIL PROTECTED]>> ...
> Robert O'Callahan wrote in mozilla.dev.planning: > > There are some posts in the IE blog about IE8 security features. > > *http://blogs.msdn.com/ie/* <http://blogs.msdn.com/ie/> > > Most of it is just trying to catch up to Firefox 3. Three things that > > we might want to look at, though: > > 1) A window.toStaticHTML DOM method to sanitize HTML to remove > > executable content > > 2) Web-accessible JSON API (is this going to make 3.1?) > >* 3) Some kind of dynamic anti-XSS filter that monitors browser traffic* *> > and blocks stuff. Not many details about that yet.* *> * *> This latter is an interesting idea, but it sounds to me like a recipe* *> for hard-to-understand breakage and bugs,* particularly if ours works Is this idea similar to the user-level phishing-shield plug-in available at http://www.parentapproval.com ? This is based on user-managed white-list and labels of PPI (protected personal info). > differently to theirs. I'd be interested in closer analysis of what > proportion of attacks this might address, and whether we can immediately > think of ways attackers could break it. > > Does anyone have more info, or comments on their approach? The doc is here: > * http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx *<http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx> > > Gerv -- http://www.parentapproval.com _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
