"White hat Talk Web Security" The 2nd chapter of the study note browser security

Section2ChaptersBrowser Security2.1homologous Policy

the same-origin policy is the security foundation of the browser. The role of homologous strategy is to make "document" independent of each other.

Factors affecting " source " :host ( domain name or IP, if IP address is a root domain ), subdomain, port Agreement.

Note: For the current page, the domain of the JavaScript files stored in the page is not important, but what is important is the domain in which the JavaScript page is loaded .

in the browser <script>,<iframe>,,<link> Other tags can load resources across domains without being subject to the same-origin policy case only. each time the label with the "src" attribute is loaded, a GET request is actually initiated by the browser . Unlike XMLHttpRequest , a resource loaded through the SRC attribute, the browser restricts the permissions of JavaScript so that it cannot read and write the returned content.

Note the Security Foundation for cross-domain access scenarios is that the new "JavaScript cannot control this HTTP header".

Http://www.qq.com/crossdomain.xml Results : This XML file does does appear to has any style information associated with it. The document tree is shown below. <cross-domain-policy> <allow-access-from domain= "*.qq.com"/> <allow-access-from domain= "*.gtimg.com"/> </cross-domain-policy>

2.2Browser Sandbox

the current browser is mostly a multi-process architecture, the browser of the various function modules, each browser instances are separated, and when a process crashes, it does not affect other processes.

sandboxes can access local file systems, memory, database, and network requests through the encapsulated API.

Browser plugins are a source of threats that program browser security.

2.3Malicious URL blocker

Malicious URL interception is usually the browser periodically from the designated server to obtain a copy of the latest malicious URL blacklist.

2.4fast-growing browser security

Many browser plugins are written in JavaScript, but the permissions of these browser plugins are higher than those of the normal page .

2.5Summary

Browser is Web portal , browser security also around the security of the Web.

This article is from the "dream to think XI" blog, please be sure to keep this source http://qiangmzsx.blog.51cto.com/2052549/1859546

"White hat Talk Web Security" The 2nd chapter of the study note browser security