[owasp-intrinsic-security] Application Boundaries Enforcer (ABE) - Call for Input

Giorgio Maone giorgio.maone at gmail.com
Fri Nov 7 17:07:36 EST 2008


@<b>Bill Corry</b>:
I've been an advocate of content restrictions for a long time, and also
helped bsterne with first implementation (Site Security Policy)
The CSRF part of content restrictions has been dropped in current
implementation called Content Security
Policy<http://people.mozilla.org/%7Ebsterne/content-security-policy/>because
they hope the Origin header will be properly handled either at the
application level or configuring effective server side WAF rules.
Therefore ABE has a place both as an interim solution until Origin support
is widespread, and (in pure NoScript spirit) as a way to control CSRF
protection on the client side as well.


On Fri, Nov 7, 2008 at 10:19 PM, Bil Corry <bil at corry.biz> wrote:

> Giorgio Maone wrote on 11/4/2008 9:47 AM:
> > as I announced some time ago, I'm starting this NoScript sub-project,
> using
> > the existent NoScript's request interception/blocking infrastructure to
> > build a sort of in-browser web firewall to define and enforce web
> > application boundaries.
>
> It reminds me a little of this proposal:
>
>        http://www.gerv.net/security/content-restrictions/
>
>
>
> - Bil
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081107/7fb87aa1/attachment.html 


More information about the owasp-intrinsic-security mailing list