Although the first option specifically claims it is dangerous to do so, these changes render NoScript into an add-on that provides a lot of extra security (protecting against clickjacking, cross-site scripting and implementing support for x-frame-options and Strict Transport Security) without bothering users with new UI-elements containing incomprehensible questions, messages or options. Because web security is not only about protecting against threats, but also about not breaking novice users’ expectations of how your secured browser (and the web) looks and behaves.
With a notoriously bad reputation for security (or the lack thereof) in Internet Explorer, Microsoft claims to have invested a lot in IE8 security in general and specifically in browser enforced website security. Indeed, according to the product site, IE8:
[…] helps protect you from today’s threats, including malware and phishing, as well as emerging threats that can compromise your computer without your knowledge. Other browsers either don’t offer you this level of protection or require you to download and configure third-party add-ons to get it, but with Internet Explorer 8 you get it right out of the box, and turned on by default.
Smartscreen filter is the name for the Microsoft technology that uses an “in-the-cloud reputation database” which is contacted by the browser to assess the trustworthiness of a URL. Using that information, access to dangerous sites and downloads of malware can be blocked. The system is very similar to Google Safe Browsing that is implemented in Firefox, Chrome and Safari, but Smartscreen seems to be better in stopping malware from being downloaded. On the other hand the 2nd NSSlabs-study deemed both as effective when it comes to blocking access to phishing sites. Based on these (MS sponsored) results one could conclude that IE8 might have an advantage over the competition, but I for one would be very interested in an updated version of these tests with cooperation from the other browser-makers.
IE8’s XSS-filter offers protection against type1cross-site scripting attacks. Although it offers no protection against (less common) type0 and type2 xss-attacks, the mere fact that IE8 does offer out of the box XSS-protection is a big thing. Except … except apperantly there’s a serious bug in IE8’s XSS-filter, that can be abused to do cross-site scripting. Microsoft has not yet confirmed or fixed the bug, leading some sites (e.g. Google) to disable the XSS-filter by adding “X-XSS-Protection: 0” to the http response header. Now isn’t that ironic?
Microsoft also included clickjackingdefense in IE8, by letting website owners define whether or not their pages are allowed to be included in (i)frames. This can be done by simply adding “x-frame-options” to the http response header with values “deny” to deny a page from being shown in any frame and “sameorigin” to limit framing to pages from the same domain. x-frame-options however does not protect against clickjacking with flash or other embeds.
But where’s the competition?
So what’s available in Firefox, Chrome and Safari apart from the Google Safe Browsing implementation? Nothing much up until now, I’m afraid … At Mozilla smart guys are working on “Content security policy“. CSP is a declarative server-driven anti-XSS framework, with policies being pushed through HTTP headers. Although the policy may require non-trivial website changes because inline scripts will be disallowed by default, it certainly has potential (to the extend Microsoft is said to be interested). But CSP is not there yet, now is it? Over at Google, engineers are including (type1)XSS-protectionand support for theStrict Transport Security spec (forcing a browser to load a site only over HTTPS by issuing an http response header)in the dev-channel builds of Chrome 4. As some may have noticed while looking for Google Talk’s chatback badge last week, x-frame-options (as anti-clickjacking measure) has already been implemented in Safari4 and Chrome3 as well. So especially Google is trying to make some serious progress, but Chrome 4 can hardly be considered granny-ready, can it? That leaves us Firefox with the NoScript extension, but I’ll come back to that combination in a minute.
IE8 the safest browser?
OK, this might hurt, but let’s give credit where credit is due; IE8 indeed seems to offer the best out of the box protection against malicious websites. It is the only browser to come with good phishing- and malware-blocking (Smartscreen) combined with (limited and currently broken) protection against some types of XSS and clickjacking-attacks. So thank you Redmond for setting the example!
The only alternative: Firefox + NoScript
Install FoxyProxy, add both proxies and enable “AutoAdd” (make sure to ignore the vague warning about “significant delays” in page loading times) to automatically use the alternative proxy for forbidden pages
Open a new tab, go to gmail.com and wait for Firefox to freeze completely (if your browser complains that some script is taking too long to finish, just click on “continue”)
(Disclaimer: I provide no guarantees that this will actually work, I never watch porn and I take no responsibility if your browser does (not) crash)
HTML5’s WebDB is one of the building blocks to create offline-enabled webapps. It allows web applications to store data in a local database and it is as such an important part in Google’s push for mobile webapps as an alternative for native mobile apps. The spec (although not finalized) is already implemented in Safari, Safari Mobile and in the Android 2.0 browser. So WebDB will take the world by storm, won’t it? Well, pretend you didn’t read the title of this post and let’s look at some excerpts of the meeting minutes of the W3 Web Applications Working Group Teleconference of 02 Nov 2009 for more info on the state of WebDB. Charles McCathieNevile (Opera) had some good news to share:
At opera, we implemented web db […] it’s likely we will [ship it] as people have built on it
and Google’s Ian Fette joined in:
We’ve implemented WebDB … we’re about to ship it
So that’s great news, no? We can expect WebDB to arrive in Chrome and Opera! OK, so what about Firefox and MSIE? Microsoft, represented by Adrian Bateman, stated:
We don’t think we’ll reasonably be able to ship an interoperable version of WebDB
Well, that doesn’t really come as a surprise does it? No WebDB in MSIE, but surely Mozilla will support this great spec? But Jonas Sicking’s point of view might be slightly shocking to some:
We’ve talked to a lot of developers, the feedback we got is that we really don’t want SQL […] I don’t think mozilla plans to ship it.
in order to have a webdb standard, you also have to specify (and standardize) the SQL-language to query that database, the question is what SQL-dialect to standardize on.
as the current implementations are all SQLite-based (including Google’s and Opera’s), the spec would have to describe the very specific SQL-dialect that SQLite uses (and maybe even of a specific version of SQLite)
Although I doubt that web-developers don’t want to do client-side SQL at all, writing a spec that almost mandates the use of a specific version of a specific product (even if it’s open source) can indeed be hardly considered the goal of w3.org’s standards creation process. So back to the drawing-board for yet another spec? Based on the webapp group’s meeting minutes, Web SimpleDB (or “Nikunj”, after the name of the Oracle-engineer behind the idea) is considered a worthy alternative by at least Mozilla, Opera and Microsoft. Let’s hope that a consensus, a finalized spec (it’s in draft now) and the first usable cross-browser implementations will arrive soon.
Google might be pushing back support for HTML5’s <audio> and <video>-tags in Chrome, but these certainly are one of the nicer features the upcoming version of Firefox will bring us. Version 3.5 (RC1 will probably be released the beginning of July) will indeed natively support ogg/vorbis, wav and ogg/theora. And this is important why? Well, apart from the open source (Theora) vs proprietary (Adobe Flash with VP6-codec) argument, using video will allow us to get rid of the memory (and cpu) hog Flash can be (or at least to replace it by another cpu-hog 😉 ). Now having Ogg/Theora built right into your favorite browser might be great, but you’d need a place where you can use that as well, no? Well, there’s no support for Ogg on YouTube yet, but that void can be filled by TinyVid, an “experimental Ogg video uploading and converting site”. Especially the converting-part is handy; just enter the URL of a YouTube, Vimeo or Daily Motion-video and TinyVid will download and convert it for you a few minutes later (depending on the length of the conversion queue). So you’re having big fun, uploading, converting and watching, but wouldn’t you want to show off those great vids on your open source blog as well? Easy-peasy; <video src='http://tinyvid.tv/file/3h31b472fv0ng.ogg' controls='controls'></video> And if you’re in a partcilurly good mood and you want friends that are not running an Ogg-enabled browser to be able to see some disco, you could even try this; <video src="http://tinyvid.tv/file/3h31b472fv0ng.ogg" controls="controls"> <applet code="com.fluendo.player.Cortado.class" archive="http://tinyvid.tv/static/cortado.jar" width="640" height="368"> <param name="url" value="http://tinyvid.tv/file/3h31b472fv0ng.ogg"></param> <param name="BufferSize" value="4096"></param> <param name="BufferHigh" value="25"></param> <param name="BufferLow" value="5"></param> <param name="duration" value="257.369"></param> </applet> </video> And that’ll result in Thom Yorke doing this disco-version of “Everything In Its Right Place” in Theora;
the title and favicon of the most recently closed tab, allowing you to reopen it
a button containing the text in your copy/paste-buffer with contextual actions;
if URL: go to that site
if physical address: put it on a map
else: search for that text on google
more actions might be added and the system will be extensible, taking from Ubiquity
a list of six of your most visited sites, with thumbnail and title and with the most recent rss-items of that site
Although the developers claim that it’s “a rough-cut prototype” and that “the visual design isn’t right”, I already prefer this sober and functionally rich new-tab-behavior over the shiny “top sites” implementation in Apple’s Safari4. I sure hope this will slip into Firefox 3.5 in the next few months!
A few weeks ago my wife complained she couldn’t install software on her WindowsXP-laptop any more. When doubleclicking the downloaded application, she got the errormessage “This is not a valid win32 application”. Earlier today I had the same problem when trying to install Putty, so I tried downloading the file again and noticed the following error in my FF download manager:
This download has been blocked by your Security Zone Policy
(or “deze download is geblokkeerd door uw beleid voor beveiligingszones” in Dutch) After having frantically searched for “Security Zones” in FF own configuration-screens, I turned to Google only to find out that this setting is actually managed in the MSIE configuration UI. So to enable Firefox to download executables, I have to change MSIE-configuration (which I did)? Weird to say the least.
Uw job als (front-end) webdeveloper (of tester) wordt er door de grotere concurrentie tussen browsers niet eenvoudiger op. Ge zult niet alleen moeten ontwikkelen voor Internet Explorer (het nieuwe IE8, maar ook nog altijd voor het verwenste MSIE6 en voor versie 7 natuurlijk) en Firefox, maar ook voor Safari en Google Chrome. Samen zullen deze Webkit-gebaseerde browsers eind 2009 immers tot 15% van de browsermarkt pakken (nu al 9%), tegenover 25% voor Firefox (nu 21%) en pakweg 60% voor (MS)IE (nu nog 68%). Gelukkig zult ge wel iets meer kunnen terugvallen op standaarden (MSIE6 buiten beschouwing gelaten) en zullen componenten als JQuery, YUI of Dojo uw cross-browser inspanningen blijvend verlichten.
Webagencies staan voor een belangrijke uitdaging; “mobiel internet” groeit (mede dankzij krachtige Webkit-gebaseerde mobile browsers) zowel aan vraag- als aanbodkant en kosten-bewuste klanten zullen convergentie tussen hun mobiele en hun “gewone” website hoog op het verlanglijstje hebben staan. Mobiel web wordt dé groeipool, ge kunt dus maar beter mee zijn, zowel functioneel (“mobile usability“) als technisch (er is meer dan Mobile Safari, niet iedereen heeft een uitgebreid toetsenbord en device-dependant rendering is een moving target).
En voor een recessie tenslotte, heb ik in 2009 echt geen tijd. U ook niet, toch?