The foundation of the browser's security model is the same-origin policy, which protects web sites from one another. For example, the same-origin policy stops a news site from reading the contents of your Gmail inbox (even if you open both web sites at the same time). But what if a web page comes from your local file system rather than from the Internet? Consider the following hypothetical attack if your browser did not limit the power of local pages:
- You receive an email message from an attacker containing a web page as an attachment, which you download.
- You open the now-local web page in your browser.
- The local web page creates an & e. To design the best security policy for Google Chrome, we examined the security policies of a number of popular web browsers.
- Safari 3.2. Local web pages in Safari 3.2 are powerful because they can read the contents of any web site (step 5 above succeeds). Safari protects its users by making it difficult for a web page from the Internet to navigate the browser to a local file (step 2 becomes harder). For example, if you click a hyperlink to a local file, Safari won't render the local web page. You have to manually type the file's URL into the location bar or otherwise open the file.
- Internet Explorer 7. Like Safari 3.2, Internet Explorer 7 lets local web pages read arbitrary web sites, and stops web sites from providing hyperlinks to local files. Internet Explorer further mitigates local-file based attacks by stopping local web pages from running JavaScript by default (causing step 5 to fail). Internet Explorer lets users override this Unfortunately, if the local web
Комментариев нет:
Отправить комментарий