futtta's blog

Microsoft IE8 introduced it, Apple Safari4 has it, Google Chrome4 does it and now somewhere in the not too distant future, Firefox will ship it too; support for X-FRAME-OPTIONS.

X-cuse-me? Well, X-FRAME-OPTIONS is the HTTP response header that broke Google Talk chat badge a few months ago, remember? It allows you to specify whether your site or page can be (i)framed or not, by setting it to “DENY” (not allowed to be framed) or “SAMEORIGIN” (allowed if the framing site is on the exact same domain). The most important reason for this functionality is as a prevention-mechanism for “clickjacking” (a.k.a. UI redressing), a type of web attack that tries to trick victims into clicking a framed site by hiding it behind another innocent element.

So now that feature is finally coming to Firefox as well; Mozilla’s Brendan Sterne, one of the driving forces behind Mozilla’s much broader content security policy, grabbed the bug by the balls and came up with a first patch. If all goes well, this would be an ideal candidate to get pushed out with a minor version update as per the new release process, no?

Being “the computer guy” in the family might be a pain in the ass sometimes, but trying to help out users that are not tech savvy can be very revealing. Yesterday my father-in-law asked me to take a look at his computer, there was something about the browser that was not right. Turned out he let Google lure him into downloading Chrome and making it the default browser. What bothered him most about Chrome was the lack of menu’s (file|edit|…|help), while a lot of the us (the in-crowd) consider the minimal use of chrome a plus. Usability is not only about clean, simple UI’s, but also about not breaking novice users’ expectations of how your application looks and behaves.

Anyway, I showed him IE8 and Firefox 3.5 (both were installed as well) and he recognized Firefox as the browser he was most familiar with. So I uninstalled Chrome, hid IE8, upgraded him to FF 3.6 and also installed the “Vacuum Places improved” and NoScript add-ons.

“Vacuum Places improved” cleans up the places sqlite database where Firefox stores bookmarks and history and which can become very big over time.  When tweaking the options (“hide icon” and “auto-vacuum every 20 browser starts”) it was a great way to invisibly tune browser performance, but it turns out Firefox 3.6 vacuums places.sqlite automatically (when  idle, every 1 to 2 months). So Pierre, if you ever read this; remind me to uninstall “Vacuum Places improved” next time!

NoScript is a whole other beast; it is a add-on for the security-conscious tech-head, which by default disables javascript, flash, java, … It’s a great add-on, but it is very disruptive and as such totally unfit for novice users. Unless you change the configuration off course, because modifying these options makes NoScript a must-have addon for both you and your grandma;

• General: check “Scripts Globally Allowed (dangerous)”
• Embeddings: uncheck the 8 “Forbid” options, check both “untrusted” and “trusted” for Clearclick protection
• Appearance: uncheck “Status bar icon”, “Status bar label” and “Contextual menu”
• Advanced/XSS: check “Sanitize cross-site suspicious requests”

Although the first option specifically claims it is dangerous to do so, these changes render NoScript into an add-on that provides a lot of extra security (protecting against clickjacking, cross-site scripting and implementing support for x-frame-options and Strict Transport Security) without bothering users with new UI-elements containing incomprehensible questions, messages or options.

Because web security is not only about protecting against threats, but also about not breaking novice users’ expectations of how your secured browser (and the web) looks and behaves.

With a notoriously bad reputation for security (or the lack thereof) in Internet Explorer, Microsoft claims to have invested a lot in IE8 security in general and specifically in browser enforced website security. Indeed, according to the product site, IE8:

[...] helps protect you from today’s threats, including malware and phishing, as well as emerging threats that can compromise your computer without your knowledge. Other browsers either don’t offer you this level of protection or require you to download and configure third-party add-ons to get it, but with Internet Explorer 8 you get it right out of the box, and turned on by default.

And in August Microsoft proudly pointed to results of a (MS commissioned) study by NSSLabs, which stated that IE8 blocked 81% of malware download attempts vs. 27% for FF3 (and even less for other browsers) and 83% of phishing attacks vs. 80% for FF3 (and 54% for Opera 10 and less for Chrome and Safari).

So there you have it, IE8 is the safest browser around, no? Well, that would be jumping to conclusions; IE8 still has it’s fair share of browser security issues (but don’t they all) and the dreaded security-hole called ActiveX is still supported as well. Let’s just focus at how IE8 tries to protect you from malicious websites and compare that functionality with what the competition has to offer.

Smartscreen Filter

Smartscreen filter is the name for the Microsoft technology that uses an “in-the-cloud reputation database” which is contacted by the browser to assess the trustworthiness of a URL. Using that information, access to dangerous sites and downloads of malware can be blocked. The system is very similar to Google Safe Browsing that is implemented in Firefox, Chrome and Safari, but Smartscreen seems to be better in stopping malware from being downloaded. On the other hand the 2nd NSSlabs-study deemed both as effective when it comes to blocking access to phishing sites. Based on these (MS sponsored) results one could conclude that IE8 might have an advantage over the competition, but I for one would be very interested in an updated version of these tests with cooperation from the other browser-makers.

XSS-filter

IE8′s XSS-filter offers protection against type1 cross-site scripting attacks. Although it offers no protection against (less common) type0 and type2 xss-attacks, the mere fact that IE8 does offer out of the box XSS-protection is a big thing. Except … except apperantly there’s a serious bug in IE8′s XSS-filter, that can be abused to do cross-site scripting. Microsoft has not yet confirmed or fixed the bug,  leading some sites (e.g. Google) to disable the XSS-filter by adding “X-XSS-Protection: 0” to the http response header. Now isn’t that ironic?

Clickjacking defense

Microsoft also included clickjacking defense in IE8, by letting website owners define whether or not their pages are allowed to be included in (i)frames. This can be done by simply adding “x-frame-options” to the http response header with values “deny” to deny a page from being shown in any frame and “sameorigin” to limit framing to pages from the same domain. x-frame-options however does not protect against clickjacking with flash or other embeds.

But where’s the competition?

So what’s available in Firefox, Chrome and Safari apart from the Google Safe Browsing implementation? Nothing much up until now, I’m afraid …

At Mozilla smart guys are working on “Content security policy“. CSP is a declarative server-driven anti-XSS framework, with policies being pushed through HTTP headers. Although the policy may require non-trivial website changes because inline scripts will be disallowed by default, it certainly has potential (to the extend Microsoft is said to be interested). But CSP is not there yet, now is it?

Over at Google, engineers are including (type1) XSS-protection and support for the Strict Transport Security spec (forcing a browser to load a site only over HTTPS by issuing an http response header) in the dev-channel builds of Chrome 4. As some may have noticed while looking for Google Talk’s chatback badge last week, x-frame-options (as anti-clickjacking measure) has already been implemented in Safari4 and Chrome3 as well. So especially Google is trying to make some serious progress, but Chrome 4 can hardly be considered granny-ready, can it?

That leaves us Firefox with the NoScript extension, but I’ll come back to that combination in a minute.

IE8 the safest browser?

OK, this might hurt, but let’s give credit where credit is due; IE8 indeed seems to offer the best out of the box protection against malicious websites. It is the only browser to come with good phishing- and malware-blocking (Smartscreen) combined with (limited and currently broken) protection against some types of XSS and clickjacking-attacks. So thank you Redmond for setting the example!

The only alternative: Firefox + NoScript

Firefox does not offer the out of the box protection IE8 does, but when combined with the NoScript extension, it really is the only readily available alternative (Lynx not withstanding). NoScript offers superior protection against XSS, clickjacking and a host of other threats.

Even if you’re only vaguely security-conscious, installing Firefox and NoScript should really be your first choice. Depending on the level of protection you want, you can use the default but disruptive whitelist configuration (which blocks all javascript and flash) or switch to the less secure “Allow scripts globally” mode. But whatever configuration you choose, anti-XSS and clickjacking protection are always enabled.

It really is beyond me why NoScript’s Clearclick and anti-xss aren’t in Firefox by default, especially since they seem complementary to CSP, as they’re barely disruptive for a novice user and (last but not least) as Mozilla could easily one-up Microsoft this way? Anyone?

In this brief HOWTO I will describe the procedure to crash Firefox using the great FoxyProxy add-on.

1. Check if your employer mandates the use of a filtering proxy for web-access
2. Find a way to circumvent that proxy, regaining full-internet access
3. Breach corporate IT-guidelines by installing Firefox
4. Install FoxyProxy, add both proxies and enable “AutoAdd” (make sure to ignore the vague warning about “significant delays” in page loading times) to automatically use the alternative proxy for forbidden pages
5. Open a new tab, go to gmail.com and wait for Firefox to freeze completely (if your browser complains that some script is taking too long to finish, just click on “continue”)

(Disclaimer: I provide no guarantees that this will actually work, I never watch porn and I take no responsibility if your browser does (not) crash)

HTML5′s WebDB is one of the building blocks to create offline-enabled webapps. It allows web applications to store data in a local database and it is as such an important part in Google’s push for mobile webapps as an alternative for native mobile apps. The spec (although not finalized) is already implemented in Safari, Safari Mobile and in the Android 2.0 browser.

So WebDB will take the world by storm, won’t it? Well, pretend you didn’t read the title of this post and let’s look at some excerpts of the meeting minutes of the W3 Web Applications Working Group Teleconference of 02 Nov 2009 for more info on the state of WebDB. Charles McCathieNevile (Opera) had some good news to share:

At opera, we implemented web db [...] it’s likely we will [ship it] as people have built on it

and Google’s Ian Fette joined in:

We’ve implemented WebDB … we’re about to ship it

So that’s great news, no? We can expect WebDB to arrive in Chrome and Opera! OK, so what about Firefox and MSIE? Microsoft, represented by Adrian Bateman, stated:

We don’t think we’ll reasonably be able to ship an interoperable version of WebDB

Well, that doesn’t really come as a surprise does it? No WebDB in MSIE, but surely Mozilla will support this great spec? But Jonas Sicking’s point of view might be slightly shocking to some:

We’ve talked to a lot of developers, the feedback we got is that we really don’t want SQL [...] I don’t think mozilla plans to ship it.

Sorry, come again? Does that mean that Firefox will never support window.openDatabase()? Nope, they probably won’t and they provide some valid concerns (see also Vladimir Vukićević’s blogpost) in a mailinglist-discussion between Mozilla and Apple-engineers shortly after the meeting minutes were published. Summarized and simplified their objections boil down to two issues;

• in order to have a webdb standard, you also have to specify (and standardize) the SQL-language to query that database, the question is what SQL-dialect to standardize on.
• as the current implementations are all SQLite-based (including Google’s and Opera’s), the spec would have to describe the very specific SQL-dialect that SQLite uses (and maybe even of a specific version of SQLite)

Although I doubt that web-developers don’t want to do client-side SQL at all, writing a spec that almost mandates the use of a specific version of a specific product (even if it’s open source) can indeed be hardly considered the goal of w3.org’s standards creation process.

So back to the drawing-board for yet another spec? Based on the webapp group’s meeting minutes, Web SimpleDB (or  “Nikunj”, after the name of the Oracle-engineer behind the idea) is considered a worthy alternative by at least Mozilla, Opera and Microsoft. Let’s hope that a consensus, a finalized spec (it’s in draft now) and the first usable cross-browser implementations will arrive soon.

Google Gears is a fantastic browser plugin; it allows a developer to create applications that run while offline, syncing with a server when online. Two great examples of the power of that mechanism are Gmail (both the “desktop browser” and the mobile Android-version) and Mindmeister (only while in trial, for paying Mindmeister-accounts after that period). The problem with Gears however is that it’s a plugin and not a lot of people have it installed: only Chrome-users have it by default. And that’s where HTML5 comes in; one of the areas where the new spec offers vast improvements over html4/xhtml is the ability to take webapps offline by allowing a developer to store files for offline usage and to write data to a local, browser-embedded database. Both Safari 4 and Firefox 3.5 support these features, so maybe HTML5 makes Gears already redundant in those browsers with more to come?

I haven’t gotten around to experimenting with offline databases yet, but I did already look into offline files. At first sight, Gears Localserver and HTML5 Offline Webapps indeed seem very similar; your html-page points to a manifest-file which contains a list of assets (pages, images, css, js, …) that the browser has to store for offline usage. Easy enough, no?

To get a better feel of how offlining in HTML5 works, I decided to try to write a simple WordPress plugin to replace its ‘Gears Turbo’-option. Turbo (which you can find in the Options-menu) essentially stores 1Mb of files locally, to speed up delivery of the WP-admin pages. To make a long story short; my plugin didn’t work. For starters, by default requests for non-local data are blocked, but it’s easy enough to unblock network access by adding “NETWORK:*” (with a newline before the wildcard) to the manifest. But more fundamentally; HTML5 Offline Webapps not only stores the files specified in the manifest-file, but also every html-page which points to the manifest (see my test here). There’s no way you can exclude those “master entries” from being stored. So if pages are stored, that means they have to be static and that all dynamic parts should be handled by javascript (fetching data using ajax and updating your page with it). And that, my friends, is clearly not a use-case that is applicable to WordPress admin-pages.

So HTML5 Offline Webapps is no drop-in solution to speed up delivery of dynamic pages, you’ll still need Gears to take care of that (or rely on old-fashioned carefully configured expiry- and cache-headers). But, as Google proves with the iPhone-version of Gmail, Offline Webapps combined with a HTML5 offline database can work miracles if you use it the correct way.

Show me a ‘Mozilla Labs’ page on Facebook and I’ll click on that ‘Become a fan’-button immediately. ‘Labs‘ is where new and often exciting browser-functionality is being prototyped (think Prism, Weave, Ubiquity, About:tab, Personas), and where the everyone can get involved in the process. How great is that?

Last week the omnipresent Aza Raskin introduced ‘Jetpack‘ to the community. To summarize; Jetpack aims to simplify extension development by requiring only html, css and -off course- javascript, with a simple API, jQuery and Firebug-integration built in. Publishing your Jetpack is as easy as referencing it in a link on a webpage and installing it is very straightforward as well as it requires no browser restart (and as a bonus Firefox upgrades won’t break Jetpack-extensions either).

Aza’s demo on Vimeo is a great introduction:

It’s still early days and some important features are not implemented yet (e.g. persistent storage, access to the browser’s chrome beyond notifications and the status bar, ajax when behind a proxy), so as far as I’m concerned Jetpack doesn’t outdo Greasemonkey just yet, but looking at the draft specs and at some of the functionality that they would like to introduce in the next milestone, Jetpack could indeed bring browser extensions to a whole new level.

But don’t take my word for it, just install the Jetpack extension and see for yourself.