Secure Browsing Mode
In the document Ivan lists some of the possible effects of his proposal:
- Eliminate Cross-Site Request Forgery.
- Eliminate off-domain information leakage.
- Eliminate session-based attacks (session fixation, session hijacking, session token prediction, etc).
- Make phishing more difficult.
- Eliminate web site spoofing (e.g. through DNS attacks).
- Increase security in shared-browser environments.
I think this is a big step in the right direction, however getting giants like Microsoft and Apple to support it would be the biggest hurdle.
Another hurdle to adoption is that it adds work for web developers. They would have to define the security policy for the site, and send some extra headers back. This is a problem because programmers are lazy, and I have also noticed that security is sometimes a tough sell, unless there is big pressure from above developers don't tend to go to great lengths to ensure security.
Anyways I hope Ivan moves forward with his proposal, and starts working on an RFC that specs things in a little more detail.
- HTTP Strict Transport Security - September 17, 2010
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- Web Form Security and the Middle Man - May 17, 2006
- How To Scream Unsecured - May 2, 2006
- Secure Forms - January 27, 2006
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained