runningair / browsersec Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/browsersec
Automatically exported from code.google.com/p/browsersec
Several times the word "scraped" is used, but the word "scrapped" is intended.
Original issue reported on code.google.com by [email protected]
on 15 Dec 2008 at 9:17
Is it possible to see diffs of the changes being made to the wiki pages?
(Similar to how Trac's wiki revision history works)
Original issue reported on code.google.com by [email protected]
on 6 Jan 2009 at 1:17
Opera is described ("Other built-in document formats") as supporting no
image formats beyond JPG, PNG, and GIF, but it does in fact support BMP.
It does not support TIF. I did not test other formats.
Original issue reported on code.google.com by [email protected]
on 1 Jan 2009 at 11:25
[deleted issue]
In the section about clickjacking
(Part2#Arbitrary_page_mashups_%28UI_redressing%29), Internet Explorer has
NO under "Is CSS opacity supported ('decoy underneath')?". However, IE
supports other ways to do opacity (such as using CSS filter: property)
that could also work on an iframe, and have the same effect for security.
Original issue reported on code.google.com by [email protected]
on 2 Jan 2009 at 7:27
As I’m reading this handbook, I think it would be comfortable to have
references to files containing particular tests or links to subpages
containing quoted content of these files in tables with results. Thus, in
the course of reading, it would be possible to see how does the tests look
like and this should help in understanding the text.
Original issue reported on code.google.com by [email protected]
on 6 Feb 2009 at 11:51
Do you have any study how browsers behave if the receive raw or entities
withing unused sets ?
* 0 to 31, except 9, 10, and 13 (C0 control characters)
* 127 (DEL character)
* 128 to 159 (C1 control characters)
* 55296 to 57343 (xD800-xDFFF, the UTF-16 surrogate halves)
Original issue reported on code.google.com by [email protected]
on 24 Sep 2010 at 6:55
According to HTTP spec (RFC 2616 section 3.8), this request header:
User-Agent: Bunny Browser 1.7
must be parsed as three product names: "Bunny", "Browser", and "1.7";
none having a version number. A more correct example would be:
User-Agent: Bunny-Browser/1.7
which is a "Bunny-Browser" product with a "1.7" version number.
Problem found in page
http://code.google.com/p/browsersec/wiki/Part1#Hypertext_Transfer_Protocol.
The same problem exists with the Server header in the HTTP response.
Original issue reported on code.google.com by [email protected]
on 2 Jan 2009 at 6:10
see..
how browsers transform URLs
http://lists.w3.org/Archives/Public/public-iri/2009Nov/0045.html
and: http://code.google.com/p/curlies/
It doesn't appear that the BSH as yet references/leverages CURLIES -- which
might be a useful thing to do, especially in BSH part 1.
=JeffH
Original issue reported on code.google.com by [email protected]
on 28 Dec 2009 at 11:15
There is an enhancement to Flash that supports access to files on the local
host system. The page that discusses cross-domain policy should have this
information added.
http://www.macromedia.com/support/documentation/en/flashplayer/help/help02.html
Original issue reported on code.google.com by [email protected]
on 15 Dec 2008 at 9:32
It would be useful to include device / operating system information to
Browserscope. Currently Android Chrome and Desktop chrome both record results
in the same place (Chrome 26). But the results can be different enough that it
is worth knowing.
Original issue reported on code.google.com by [email protected]
on 17 Apr 2013 at 10:24
Part3. HTTP authentication
[CURRENT]
Because of these limitations and the relative inflexibility of this scheme
to begin with, HTTP authentication has been almost completely extinct on
the Internet, and replaced with custom solutions built around HTTP cookies
(it is still sometimes used for intranet applications or for simple access
control for personal resources).
[END CURRENT]
[PROPOSAL]
A)New work on HTTP strong authenticaton mechanisms in form of DRAFT
http://tools.ietf.org/html/draft-hartman-webauth-phishing-09
http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-02.tx
t
B)NTLM and basic auth tt's still used too for proxy access and many web
APIs use this mechanism (Not widely used for interactive human usage)
C)Many sites moved away from HTTP authentication mostly because there
wasn't good UI in the browser (not because technical aspects of digest
and basic)
D)There is a need for a robust framework where new schemes can be plugged
more easily and making the HTTP authentication more visually and attractive
in the browser world
E)Some humour with HTTP authentication implementations
http://bitworking.org/news/Problems_with_HTTP_Authentication_Interop
Original issue reported on code.google.com by [email protected]
on 3 Jan 2009 at 12:56
In the section: http://code.google.com/p/browsersec/wiki/Part1
the link Cross-site scripting pointing to:
http://code.google.com/p/doctype/wiki/ArticlesXSS
is broken.
Currently the valid destination is:
http://code.google.com/p/doctype-mirror/wiki/ArticleXSS
Original issue reported on code.google.com by ecasbas
on 7 Jan 2013 at 6:48
What steps will reproduce the problem?
1. gzip -d the tar.gz file
2. run clamscan on browser_tests-1.00.tar
Exploit.HTML.MHTRedir-8 FOUND
Is this expolit used for educational purposes or ...?
Original issue reported on code.google.com by [email protected]
on 11 Dec 2008 at 12:00
the text of the "Note:" (in Part 2: Same-origin policy for cookies) reads:
"Note: there is an ongoing work to document, clarify, and clean up cookie
behavior to improve the usability of httponly and related mechanisms."
..and it contains an embedded link to the http-state@ list archives.
Given that the IETF HTTP-State working group was recently chartered, I
suggest revising the "Note:" text to be..
"Note: an IETF effort is underway to clearly specify currently deployed
cookie behavior across major browsers."
..and have some appropriate chunk of the text link to..
http://www.ietf.org/dyn/wg/charter/httpstate-charter.html
Also, I suggest moving the "Note:" itself to be either below the last
bullet item, or place it between the para above and the first bullet item.
thanks.
Original issue reported on code.google.com by [email protected]
on 14 Dec 2009 at 10:07
I'm referring to
http://code.google.com/p/browsersec/wiki/Part2#Port_access_restrictions
Last year I renewed my research and in the process published a list of
blocked ports per browser. Please refer to:
http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20att
ack%20revisited.pdf
As you may notice from the Appendixes, Firefox and Safari differ from Opera
when it comes to the ports blocked. Not sure if the behavior changed since
these tests were last performed (1 year ago)
Original issue reported on code.google.com by sandrogauc
on 19 May 2009 at 9:47
Please include the different parsing rules that are applied in parsing URLs
inside <a> tags.
Eg, how are these parsed in different browsers:
<a href='/foo">
<a href="/foo&">
<a href="/foo"">
<a href='/foo''>
<a href='/foo%30'>
Original issue reported on code.google.com by [email protected]
on 1 Jan 2009 at 11:14
Enter description of the problem here
I think I have a fake version of gmail and chrome on my iPad. I am listed as
a supervised user on my account. Advanced setting is grayed out on my settings
in Chrome. I am trying to get help but cannot find a space to go to. There is
a kggould.com site I cannot log into either. I know you are not security
people but maybe you can help, or send this to someone who can.
Thank you,
Karen Gould
[email protected] (my other gmail account)
Original issue reported on code.google.com by [email protected]
on 29 Dec 2013 at 5:37
Attachments:
In the table of section "Unicode in URLs" (part 1), it is said that Firefox
3 uses UTF-8 for "Request URL query string encoding for manually entered
URLs". This is actually not completely true.
It looks like Firefox 3 does the following:
- if all the characters in the query string can be encoded in the
machine's default encoding, this encoding is used.
- otherwise, UTF-8 is used.
Let me explain. I'm using a French machine with a default encoding is
CP-1252 (similar to ISO-8859-1).
The URL http://www.google.com/search?q=é procudes
http://www.google.com/search?q=%E9, whereas
http://www.google.com/search?q=ąé produces
http://www.google.com/search?q=%C4%85%C3%A9.
In the first case, the "é" character was converted to %E9 which is
ISO-8859-1. In the second case, it was converted to %C3%A9, which is UTF-8.
Original issue reported on code.google.com by [email protected]
on 28 Jan 2009 at 1:06
HTTPS (RFC 2818) link address is mistake
Link address should be http://www.ietf.org/rfc/rfc2818.txt no
http://www.ietf.org/rfc/rfc2616.txt
Original issue reported on code.google.com by [email protected]
on 20 Nov 2014 at 5:34
Enter description of the problem here
Presently, the notion of "Same Origin Policy" is not in and of itself
appropriately defined anywhere.
Recently, this wiki page has been established as a (the) place to tease out
such a definition..
http://www.w3.org/Security/wiki/Same_Origin_Policy
We suggest that the BSH reference that page, e.g. in the "Part 2"
subsection entitled "Same-origin policy".
thanks,
=JeffH
Original issue reported on code.google.com by [email protected]
on 1 Dec 2009 at 7:50
In http://code.google.com/p/browsersec/wiki/Part1 section "True URL schemes"
in table "Gopher (RFC 4266)" links to wrong URL
http://www.ietf.org/rfc/rfc14266.txt. Remove 1 from URL for correct URL
http://www.ietf.org/rfc/rfc4266.txt.
Original issue reported on code.google.com by [email protected]
on 11 Dec 2008 at 6:51
hi,
Thanks for a great document. Because the content is huge it will help to be
able to take a print and read (instead of on screen). Hope this can be done.
regards
Sesh
Original issue reported on code.google.com by [email protected]
on 18 Dec 2008 at 10:49
The table shows that FF3 does not have X-Frame-Options support, but Mozilla's
site claims it does as of FF 3.6.9 (I have not tested it).
Affected Page:
http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redres
sing)
Source:
http://blog.mozilla.com/security/2010/09/08/x-frame-options/
Original issue reported on code.google.com by [email protected]
on 21 Feb 2011 at 5:04
In Part1: "non-XML mode tend are generally" should be "non-XML mode tend to
be generally"
In Part2: "local files or input devices devices, although" should be "local
files or input devices, although"
Original issue reported on code.google.com by [email protected]
on 18 Dec 2008 at 4:21
I think you should mention IE7's integration with Vista's process
integrity mechanism in the "Open browser engineering issues", "security
compartmentalization" section of part 3. Running IE7 as a low integrity
process does reduce the impact of any code running inside the process.
Original issue reported on code.google.com by [email protected]
on 2 Jan 2009 at 1:32
http://code.google.com/p/browsersec/wiki/Part1
Characters permitted in entity names]] (excluding A-Z a-z 0-9)
the ]]'s seem extraneous
Original issue reported on code.google.com by [email protected]
on 12 Dec 2008 at 1:29
Many of the security considerations for the <embed>, <iframe>, <img>,
<applet> and <script> elements are also relevant to the <object> element,
which is not discussed in this document.
Original issue reported on code.google.com by [email protected]
on 17 Jul 2009 at 5:57
Bloodhound.Exploit.6 is found.
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2004-03
1218-0648-99
If this is intentional... it should probably be mentioned.
Original issue reported on code.google.com by [email protected]
on 11 Dec 2008 at 4:43
lol
Original issue reported on code.google.com by [email protected]
on 20 Dec 2011 at 12:03
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.