Browser Security Enhancement Tracker Project
We are slowly moving our lives from desktop applications to browser based applications and browsers have become an integral part of our life. Current top browsers have a special focus on security and have been working on many major security projects to kill bug classes. Some are ambitious projects, some are smaller tweaks. Some continue to become the core of the browser, some projects get shelved or discarded.
This brings in an interesting situation for information security professionals as our recommendations and risk ratings can get affected by these changes. We have been trying to keep a tab on these changes internally and we realized that it makes sense to make this information public. So without further ado we present you Browser Security Enhancement List
Browser Security Enhancements List
Title | Description | Browser(s) |
---|---|---|
Same-Site Cookie Attribute | Same-Site attribute can be used to prevent Cross-Site Request Forgery attacks by asserting that the Browsers will not transmit the Same-Site cookie attribute if accessed from cross-origin which means we can prevent the Cross-Site Request Forgery attacks. Same-Site cookie attribute supports 3 values - Lax, Strict and None. The browsers consider Lax as the default value if Same-Site attribute is not present for the particular cookie. This will ensure that Cross-Site Request Forgery will not be allowed when an attacker attempts to execute it by request from an attacker controlled application. | Chrome 84+, Firefox 60+ |
Total Cookie protection in Firefox | Total Cookie Protection creates a separate "cookie jar" for each website the users visit in Firefox. Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website. | Firefox 86+ |
Tabnabbing Protection | Reverse tabnabbing is an attack where an attacker can link a malicious page on the target application. The browsers recently added Tabnabbing protection and no longer allows access to the properties of "windows.opener". As browsers prevent Tabnabbing vulnerability and do not disclose "windows.opener" information to the opener page, this shows a NULL response. We can say that the browsers eliminated the Tabnabbing vulnerability by securing opener information Additionally, if you want to opt out from Tabnabbing prevention, the web pages can use rel="opener". | Chrome 88+ |
Cracking Down the Super Cookies in Firefox | Supercookies is just a term which is used in the case of Privacy trackers. Privacy trackers are third-party applications which store the user identification details. Firefox introduced a new feature which implemented partitioning network state and caches. Using a separate network states and caches for each new website the user accesses, makes the application more secure and prevents Cross-Site Tracking. | Firefox 85+ |
HTTPS-Only Mode | The HTTPS-Only mode restricts users from accessing HTTP applications, as it will not allow HTTP requests to pass through the browser. However, the web applications which only supports HTTP and the connection cannot be upgraded. If HTTPS-Only Mode is enabled and a HTTPS version of a site is not available, users will see a "Secure Connection Not Available" page which can be accessible after accepting the risk warning. HTTPS-Only Mode will be turned off temporarily for that site. | Firefox 83+ |
Referrer Leakage Prevention | Referrer Policy is used to prevent referer header leakage. Chrome has changed a referrer policy defaults and is now using "strict-origin-when-cross-origin" as the default policy, instead of "no-referrer-when-downgrade". On cross-origin requests made from the web page without a referrer policy set on it, default configuration of Chrome will set "strict-origin-when-cross-origin" and prevent the Referer header leakage by disclosing initiating origin only instead of full URL. | Chrome 85+ |
X-XSS-Protection - Legacy Header | X-XSS-Protection header was used to prevent Cross-Site Scripting attack. This feature was mostly used in Internet Explorer, Chrome and Safari. X-XSS-Protection header restricted the execution of Reflected Cross-Site Scripting attacks. Currently, Chrome, Firefox and Edge no longer support the header "X-XSS-Protection". This also means that the applications which were only using "X-XSS-Protection" header are now unsafe from the Cross-Site Scripting. | Chrome 78+ |
This is an ongoing effort and more details will be added over time. Contributions are welcome via github issues / pull requests