ISWG Open Letter to Browsers

The OWASP Foundation is deeply concerned about the risk associated with increasingly powerful browsers. We are seeking to support browser vendors with research, resources, and ideas about how to navigate around the many security challenges we face on the web. At our recent Summit in Portugal, OWASP's Intrinsic Security Working Group (ISWG) met to discuss the key security challenges at the various intersections of web applications and browsers. The ISWG is a group of web application security specialists that contribute their time to OWASP to try to make building secure web applications easier.

We’re hoping to work to identify some practical solutions to some of the security issues that could affect security of both browser users and organizations with web applications. The following recommendations are some initial ideas we’d like to help get implemented. We selected a few of these ideas as good starting points because they are either simple to implement or because they offer a critical protection that is needed today.

• The first protection the ISWG is recommending browsers implement is HTTPOnly. The majority of major browsers currently offer some level of protection when applications use the HTTPOnly flag on its cookies. Unfortunately, because the implementations are not complete, it is still possible under some circumstances to bypass the mechanism. When this flag is turned on, JavaScript should not be able to read or write to the cookie object in the page's DOM. Also, it is possible to read cookie data from XmlHttpRequest response data even with the HTTPOnly flag on. Ideally, no JavaScript could access or modify any cookie data from a cookie with the HTTPOnly flag.

• The second protection the ISWG is recommending is the disabling of "autocomplete" features within cross-domain iframes. Browser users utilize the autocomplete feature so they don't have to remember passwords for multiple sites or save themselves the effort of repeatedly typing in the same credentials. However, the recently publicized "clickjacking" technique has enabled attackers to trick users into clicking "past" a benign looking page and into a site that they trust. If a browser automatically populates a login form for a site the user trusts, an attacker can force the user to click the "login" button and further execute fully authenticated functionality on the attacker's behalf.

• The final protection the ISWG is recommending is the implementation of "jail" tags. Jail tags could allow applications to reliably mark pieces of the page where untrusted user input appears without exposing any risk of cross-site scripting. The web is trending towards more interconnectivity and more user-generated content. Therefore, the need for this type of protection is critical. Finer grained JavaScript rules to accommodate general "mashup security" will eventually be needed, but other groups are working on specifications for such solutions.

We thank you for your consideration of these issues, and hope to work with any interested parties in furthering the security of browsers and web applications at the building block level.

OWASP Intrinsic Security Working Group http://www.owasp.org/