"enable websites to define security policies that the browser enforces"

You mean the like the 'same origin' policy we already have, that isn't regularly found to haven problems in it's impl. ?

Why not make noscript a default extension, and spend the resources on something useful (like beer).

http://noscript.net/faq#qa4_1

Any gurus reading?

Things like wildcard "*" cross domain trust are allowed by the ecommerce site operators, and are not a hacker artifact. Phishing works well because the ecommerce sites are making money on advertising which requires the wildcard cross domain trust. Doubleclick (via ru4.com) embeds a "*" trust value in their client's web sites. The more interesting topic is "how does an ecommerce site go about vetting their advertisers and biz partners to ensure the main site does not become vulnerable?"

>"Site developers could indicate an explicit set of domains that should be treated as valid sources of javascript, so that code embedded in sites that aren't specifically white-listed would not be executed."

Of course, if they want to get paid by their advertisers, they'll have to whitelist all the ad-serving domains.

And then the infected banner ads will be able to get through again.

End result: another one of those security features that is turned-off everywhere because it's too inconvenient, and very little (if any) extra protection for surfers.

Instead of serving up ads directly from the ad-serving domains, what if site owners inspected the ads to make sure there wasn't any naughty Javascript in them to begin with, placed those ads on a trusted server, and loaded them from there....?

If this is such a wonderful idea, shouldn't they bring it to the W3C as some sort of cross browser standard?

Bad execution.

I *really* hope the peeps at InformAction OpenSource Software (the makers of NoScript) are working hand in hand with the weebls over there. Mozilla has a great thing goin' on, but a lot of good add-ons could stand to be part of the default interface that it's not funny anymore.

Bundle NoScript with FireFox!

we tried that: the HTML folks said it wasn't their domain because it's headers external to the document mark-up, and the HTTP folks told us the controls were specific to documents and we should talk to the HTML folks.

At this point it's just an experiment. If it looks useful in practice I'm sure we can find a standards body home for it, and it will need to be standardized to really work long-term. But trying to standardize without having at least one implementation tends to lead to standards no one wants to (or can) implement; some standards bodies even require two compatible implementations before they'll call a standard "final".

You know, the ones who jump all over IE for having non-standardized bits? Shouldn't you all be bashing Mozilla now?

"The idea is to enable websites to define security policies that the browser enforces."

What if the security policy on a given website allows for direct malware injection or a script that redirects to a malware site that is "approved" by the referring website?

Not exactly the security policy I have in mind but I am not too worried about me. If there was such a plug-in I would probably not trust it very much.

@Pyros:

The entire idea of FF is that it is a minimal browser which is then extensible. If they just started shipping all the extensions with the installer, their whole mission would be for nothing. Not that it really got them all that far, since their minimal, stripped browser has been larger and slower than a certain other full featured browser/mail client/irc client/etc for quite some time now.

@Darryl:

Bashing Mozilla got tiring a long time ago. I think people tend to bash IE because it makes their lives so terrible, with the non-standard compliance, spyware auto-downloading, etc. Mozilla is just somewhat annoying.

Where can I find the original message, and how can I get involved? I am involved with web security for a living, and see the need for better protections on the client side on the modern web.

> The entire idea of FF is that it is a minimal browser which is then extensible. If they just started shipping all the extensions with the installer, their whole mission would be for nothing.

heh, superb, but if you're going to take the mickey by impersonating crazed techies in this way, use a smiley - there are people on this site who might misunderstand you.

(In case anyone was confused, "the entire idea of FF" is of course to be a much better browser than IE for the whole world to use, and that means making ordinary browsing as safe ***as humanly possible*** for ordinary people. Startup speed, extensibility, standards, blah blah, all of it counts for nothing to a normal person compared to ***Not Needing a Degree In Technology To Prevent My Bank Details Being Stolen***)

You can Upgrade and polish up security on browsers as much as you like, if people are stupid then they will lose money, info, etc etc

Believe it or not people who get an email from their bank saying we have lost your user name and password info, plese click on this Barclays looking link and put your info in. Will STILL fall for it.

I had one recently and was pleased to see Windows Live Mail include a button called report phishing scam. So I hapily Clicked on it. Hopefully something will be done about it.

I suppose it would be useful for this functionality to be built into the browser, but I have little doubt that the "NoScript" extension will still do it much better. (if nothing else because of the ridiculously frequent updates to NoScript)

For whom and by whom?

Define secure.

I'm an IE flamer, for the exact reason you mention. Standards are meant to minimise development overhead by allowing the same code to be cross-browser compatible, a thing IE is notorious for breaking. Should Mozilla go this same route, deviating from the W3C, rest assured I (and many other web developers) will start hoeing into them with just as much avidity as we currently attack IE!

I just DON'T want to have to write ten different versions of my CGI/PHP, CSS and HTML with 500 lines of browser-sniffing Javascript, to accommodate every different vendor's vision of the perfect browser, thanks very much!

Paris because she's become a universal standard on El Reg...