I want to help move the state of software security forward, especially web security.  Web developers currently are groaning under a load of patchwork security mitigations caused by the desire of browser & plugin developers to maintain compatibility with existing content while not really effectively supporting the rich applications of today and tomorrow.

For example, all web applications are vulnerable to cross-site scripting and similar code injection attacks by default, unless painstakingly mitigated by the application or framework developers.  Cross-domain data loading currently relies on server-side proxies, script importing, or Flash.  Cross-site/inter-frame communication is likewise hokey and risk-prone.

Fortunately, things are starting to change for the better.  Access Control ( provides developers with native HTML methods for safely performing cross-site data loading while postMessage ( provides a mechanisms for frames from different sites to communicate securely.  Neither of these mechanisms is a fool-proof design, in the sense that misconfiguration could still result in a security vulnerability, but both are a tremendous improvement & and far safer than importing random scripts over HTTP.

In addition to designs largely finalized and in the process of being implemented in browsers, there are also a number of research efforts aimed at providing better mechanisms for addressing Cross-site Request Forgery (see the Origin header proposal located here:, Cross-site Scripting mitigations (, and content restrictions aka sandboxing (

The above list is just a few examples of the initiatives brewing out there, and I will be digging into them in more detail in future posts.

This entry was posted in Web Security. Bookmark the permalink.