[owasp-intrinsic-security] Application Boundaries Enforcer (ABE) - Call for Input

Giorgio Maone giorgio.maone at gmail.com
Fri Nov 7 17:07:36 EST 2008

@<b>Bill Corry</b>:
I've been an advocate of content restrictions for a long time, and also
helped bsterne with first implementation (Site Security Policy)
The CSRF part of content restrictions has been dropped in current
implementation called Content Security
they hope the Origin header will be properly handled either at the
application level or configuring effective server side WAF rules.
Therefore ABE has a place both as an interim solution until Origin support
is widespread, and (in pure NoScript spirit) as a way to control CSRF
protection on the client side as well.

On Fri, Nov 7, 2008 at 10:19 PM, Bil Corry <bil at corry.biz> wrote:

> Giorgio Maone wrote on 11/4/2008 9:47 AM:
> > as I announced some time ago, I'm starting this NoScript sub-project,
> using
> > the existent NoScript's request interception/blocking infrastructure to
> > build a sort of in-browser web firewall to define and enforce web
> > application boundaries.
> It reminds me a little of this proposal:
>        http://www.gerv.net/security/content-restrictions/
> - Bil
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081107/7fb87aa1/attachment.html 

More information about the owasp-intrinsic-security mailing list