Google posted on Wednesday a handbook for Web developers that highlights the key security features and quirks of major Web browsers.
The document, dubbed the Browser Security Handbook, has three parts that tackle the security features in browsers and browser-specific issues that could lead to security weaknesses.
"Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities," Michal Zalewski, a developer at Google, stated in the introduction to the handbook. "Although all browsers implement roughly the same set of baseline features, there is relatively little standardization — or conformance to standards — when it comes to many of the less apparent implementation details."
The handbook covers features of Internet Explorer 6 and 7, Mozilla Firefox 2 and 3, Apple Safari, the Opera browser and Google's Chrome and Android browsers.
Browsers have garnered renewed scrutiny from security researchers in recent years. In 2007, computer-science students at Stanford University found a way to bypass the same-origin policy in browsers, allowing an attacker to use the browser to access data on other computers on a victim's network. This year, researchers Robert Hansen and Jeremiah Grossman uncovered a method, known as clickjacking, of exploiting Web graphics to persuade a victim to click where an attacker wants on a page. Both issues are discussed in the security handbook.
As the world moves toward Web pages and applications that increasing interact with each other, frequently called Web 2.0, developers need to better understand the browsers, Zalewski stated.
"Through the years, we found that having a full understanding of browser-specific quirks is critical to making sound security design decisions in modern Web 2.0 applications," he said.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos