└── wiki
    ├── Main.wiki
    ├── Part3.wiki
    └── Part1.wiki


/wiki/Main.wiki:
--------------------------------------------------------------------------------
 1 | #summary Browser Security Handbook landing page
 2 | #labels Featured
 3 | 
 4 | <h1>Browser Security Handbook</h1>
 5 | 
 6 |   * Written and maintained by [http://lcamtuf.coredump.cx/ Michal Zalewski] <[mailto:lcamtuf@google.com lcamtuf@google.com]>. 
 7 |   * Copyright 2008, 2009 Google Inc, rights reserved.
 8 |   * Released under terms and conditions of the [http://creativecommons.org/licenses/by/3.0 CC-3.0-BY] license.
 9 | 
10 | <h1>Table of Contents</h1>
11 | 
12 | <wiki:toc max_depth=10 />
13 |    * _[http://code.google.com/p/browsersec/wiki/Part1 → Part 1: Basic concepts behind web browsers]_
14 |    * _[http://code.google.com/p/browsersec/wiki/Part2 → Part 2: Standard browser security features]_
15 |    * _[http://code.google.com/p/browsersec/wiki/Part3 → Part 3: Experimental and legacy security mechanisms]_
16 | 
17 | =Introduction=
18 | 
19 | Hello, and welcome to the _Browser Security Handbook_!
20 | 
21 | This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.
22 | 
23 | Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.
24 | 
25 | The current version of this document is based on the following versions of web browsers:
26 | 
27 | || <font color="#3050a0">*Browser*</font> || <font color="#3050a0">*Version*</font> || <font color="#3050a0">*Test date*</font> || <font color="#3050a0">*Usage*</font>^*^ || <font color="#3050a0">*Notes*</font> ||
28 | || Microsoft Internet Explorer 6 || 6.0.2900.5512 || Feb 2, 2009 || 16% || ||
29 | || Microsoft Internet Explorer 7 || 7.0.5730.11 || Dec 11, 2008 || 11% || ||
30 | || Microsoft Internet Explorer 8 || 8.0.6001.18702 || Sep 7, 2010 || 28% ||  ||
31 | || Mozilla Firefox 2 || 2.0.0.18 || Nov 28, 2008 || 1% || ||
32 | || Mozilla Firefox 3 || 3.6.8 || Sep 7, 2010 || 22% || ||
33 | || Apple Safari || 4.0 || Jun 10, 2009 || 5% || ||
34 | || Opera || 9.62 || Nov 18, 2008 || 2% || ||
35 | || Google Chrome || 7.0.503.0 || Sep 7, 2010 || 8% || ||
36 | || Android  embedded browser || SDK 1.5 R3 || Oct 3, 2009 || <font color="#909090">n/a</font> || ||
37 | 
38 | ^*^ Approximate browser usage data based on public [http://marketshare.hitslink.com/browser-market-share.aspx?qprid=0 Net Applications] estimates for August 2010.
39 | 
40 | =Disclaimers and typographical conventions=
41 | 
42 | *Please note that although we tried to make this document as accurate as possible, some errors might have slipped through. Use this document only as an initial reference, and independently verify any characteristics you wish to depend upon. Test cases for properties featured in this document are [http://browsersec.googlecode.com/files/browser_tests-1.03.tar.gz freely available for download].*
43 | 
44 | The document attempts to capture the risks and security considerations present for general populace of users accessing the web with default browser settings in place. Although occasionally noted, the degree of flexibility offered through non-standard settings is by itself not a subject of this comparative study.
45 | 
46 | Through the document, <font color="#ff0000">red color</font> is used to bring attention to browser properties that seem particularly tricky or unexpected, and need to be carefully accounted for in server-side implementations. Whenever status quo appears to bear no significant security consequences and is well-understood, but a particular browser implementation takes additional steps to protect application developers, we use <font color="#30ff30">green color</font> to denote this, likewise. Rest assured, neither of these color codes implies that a particular browser is less or more secure than its counterparts.
47 | 
48 | =Acknowledgments=
49 | 
50 | _Browser Security Handbook_ would not be possible without the ideas and assistance from the following contributors:
51 | 
52 |   * Filipe Almeida
53 |   * Brian Eaton
54 |   * Chris Evans
55 |   * Drew Hintz
56 |   * Nick Kralevich
57 |   * Marko Martin
58 |   * Tavis Ormandy
59 |   * Wladimir Palant
60 |   * David Ross
61 |   * Marius Schilder
62 |   * Parisa Tabriz
63 |   * Julien Tinnes
64 |   * Berend-Jan Wever
65 |   * Mike Wiacek
66 | 
67 | The document builds on top of previous security research by Adam Barth, Collin Jackson, Amit Klein, Jesse Ruderman, and many other security experts who painstakingly dissected browser internals for the past few years. 
68 | 
69 | _([http://code.google.com/p/browsersec/wiki/Part1 Continue to basic concepts behind web browsers...])_


--------------------------------------------------------------------------------
/wiki/Part3.wiki:
--------------------------------------------------------------------------------
  1 | #summary Browser Security Handbook, part 3
  2 | 
  3 | <h1>Browser Security Handbook, part 3</h1>
  4 | 
  5 |   * Written and maintained by [http://lcamtuf.coredump.cx/ Michal Zalewski] <[mailto:lcamtuf@google.com lcamtuf@google.com]>. 
  6 |   * Copyright 2008, 2009 Google Inc, rights reserved.
  7 |   * Released under terms and conditions of the [http://creativecommons.org/licenses/by/3.0 CC-3.0-BY] license. 
  8 | 
  9 | <h1>Table of Contents</h1>
 10 | 
 11 |   * _[http://code.google.com/p/browsersec/wiki/Part2 ← Back to browser security features]_
 12 | <wiki:toc max_depth="10" />
 13 | 
 14 | =Experimental and legacy security mechanisms=
 15 | 
 16 | Through the years, browsers accrued a fair number of security mechanisms that had either fallen into disuse, or never caught on across more than a single vendor; as well as a number of ongoing proposals, enhancements, and extensions that are yet to prove their worth or become even vaguely standardized. This section provides a brief overview of several technologies that could fall into this class.
 17 | 
 18 | _Fun fact: when it comes to newly proposed features, many of them essentially introduce new security boundaries and permission systems mostly orthogonal, yet intertwined, with same-origin controls. Although this appears to be a good idea at first sight, some researchers [http://crypto.stanford.edu/websec/origins/fgo.pdf warn about the pitfalls] of finer-grained origins as difficult to understand to users, and hard to fully examine for potential side effects and interactions with existing code._
 19 | 
 20 | ==HTTP authentication==
 21 | 
 22 | HTTP authentication is an ancient mechanism most recently laid out in [http://www.ietf.org/rfc/rfc2617 RFC 2617]. It is a simple extension of HTTP:
 23 | 
 24 |   * Any resource for which the server requires the user to provide valid credentials would initially return a `401 Unauthorized` HTTP error code, with a `WWW-Authenticate` header describing parameters such as the authentication realm, supported authentication modes, and other method-specific parameters.
 25 | 
 26 |   * Upon receiving a `401` code, the client is expected to prompt the user for login and password, or obtain the data from in-memory cache or another credential store (where according to the RFC, it should be looked up by authentication realm name alone; although for security purposes, it should be bound to the host name as well, preferably also to port and protocol).
 27 | 
 28 |   *  User's credentials are then encoded and sent back in a new request with an additional `Authorization` header, which the server is expected to examine, and grant access or return an error message as appropriate.
 29 | 
 30 | Credentials are also cached for authentication with other subresources on the same site, and are sent out on future requests in an unsolicited manner (globally, or only for a particular path prefix).
 31 | 
 32 | Two key authentication schemes are supported by virtually all clients: `basic` and `digest`. The former simply sends user names and passwords in plain (`base64`) text - and hence the data is vulnerable to snooping, unless the process takes place over HTTPS. The latter uses a simple nonce-based challenge-response mechanism that prevents immediate password disclosure. Microsoft further extended the mechanism to include two proprietary `NTLM` and `Negotiate` schemes ([http://www.innovation.ch/personal/ronald/ntlm.html reference]) that integrate seamlessly with Microsoft Windows domain authentication.
 33 | 
 34 | As hinted in the section on [http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators URL syntax], URLs are permitted to have an optional `user[:password]@` segment immediately before the host name, to enable pre-authenticated bookmarks or shared links. In practice, the mechanism would be seldom used for legitimate purposes, but became immensely popular with phishers - who would often construct URLs such as `http://`<font color="#ff0000">`www.example-bank.com:something_something@`</font>`www.evilsite.com/` in hopes of confusing the user. This led to this URL syntax being banned in Microsoft Internet Explorer, and often resulting in security prompts elsewhere.
 35 | 
 36 | Because of these limitations and the relative inflexibility of this scheme to begin with, HTTP authentication has been almost completely extinct on the Internet, and replaced with custom solutions built around HTTP cookies (it is still sometimes used for intranet applications or for simple access control for personal resources). 
 37 | 
 38 | Amusingly, its ghost still haunts modern web applications: HTTP authentication prompts often come up in browsers when viewing trusted pages where a minor authentication-requiring sub-resource, such as `<IMG>`, is included from a rogue site - but these prompts usually do a poor job of clearly explaining who is asking for the credentials. This poses a phishing risk for services, such as blogs or discussion forums, that allow users to embed external content.
 39 | 
 40 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
 41 | || <font color="#3050a0">Is HTTP authentication supported?</font> || YES || YES || YES || YES || YES || YES || YES || YES || <font color="#ff0000">NO</font> ||
 42 | || <font color="#3050a0">Does link-embedded authentication work?</font> || NO || NO || NO || prompt || prompt || YES || prompt || YES || <font color="#909090">n/a</font> ||
 43 | || <font color="#3050a0">Is authentication data bound to realms?</font> || NO || NO || NO || NO || NO || <font color="#30ff30">YES</font> || NO || <font color="#30ff30">YES</font> || <font color="#909090">n/a</font> ||
 44 | || <font color="#3050a0">Is authentication bound to host name?</font> || YES || YES || YES || YES || YES || YES || YES || YES || <font color="#909090">n/a</font> ||
 45 | || <font color="#3050a0">Is authentication bound to protocol or port?</font> || YES || YES || YES || YES || YES || YES || YES || YES || <font color="#909090">n/a</font> ||
 46 | || <font color="#3050a0">Are cached credentials sent out on all future requests?</font> || YES || YES || YES || YES || YES || <font color="#30ff30">subdir only</font> || <font color="#30ff30">subdir only</font> || <font color="#30ff30">subdir only</font> || <font color="#909090">n/a</font> ||
 47 | || <font color="#3050a0">Do password prompts come up on `<IMG>`?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#909090">n/a</font> ||
 48 | || <font color="#3050a0">Do password prompts come up on `<EMBED>` / `<APPLET>`?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#909090">n/a</font> ||
 49 | || <font color="#3050a0">Do password prompts come up on `<SCRIPT>` and stylesheets?</font>  || YES || YES || YES || YES || YES || YES || YES || YES || <font color="#909090">n/a</font> ||
 50 | || <font color="#3050a0">Do password prompts come up on `<IFRAME>`?</font> || YES || YES || YES || YES || YES || YES || YES || YES || <font color="#909090">n/a</font> ||
 51 | 
 52 | <b></b>
 53 | 
 54 | ==Name look-ahead and content prefetching==
 55 | 
 56 | Several browsers are toying with the idea of prefetching certain information that, to their best knowledge, is likely to be needed in the immediate future. For example, Firefox offers an option to perform a background prefetch of certain links specified by page authors ([https://developer.mozilla.org/En/Link_prefetching_FAQ reference]); and Chrome is willing to carry out look-ahead DNS lookups on links on a page ([http://dev.chromium.org/developers/design-documents/dns-prefetching#TOC-DNS-Prefetch-Control reference]). The idea here is that if the user indeed takes the action anticipated by browser developers or page owners, he or she would appreciate the reduced latency achieved through these predictive, background operations.
 57 | 
 58 | On the flip side, prefetching has two important caveats: one is that it is generally rather wasteful - as users are very unlikely to follow _all_ prefetched links, and quite often, would not follow any of them; the other is that in certain applications, such look-aheads may reveal privacy-sensitive information to third parties.
 59 | 
 60 | One particularly interesting risk scenario is the context of a web mail interface: unless prefetching is properly disabled or limited, the sender of a mail containing a HTTP link might have the ability to detect that the recipient had read his message, even if the link itself is not followed.
 61 | 
 62 | ==Password managers==
 63 | 
 64 | As a part of a broader form auto-completion mechanism, most browsers offer users the ability to save their passwords on client side, and auto-complete them whenever previously seen authentication forms appear again.
 65 | 
 66 | Unfortunately, as noted in the previous section, the only standard mechanism for identifying and scoping user passwords in HTTP traffic had largely fallen into disuse; the new form- and cookie-based alternatives are custom-built for every application, are share almost nothing in common with each other. As a result, most browsers face challenges trying heuristically detect when a legitimate authentication attempt takes place and succeeds, or trying to decide how to define the realm for stored data.
 67 | 
 68 | In particular, it might be easier than intuitively expected for certain types of user content hosted (or injected) under the same host name as a trusted login interface to spoof such forms and intercept auto-filled data; letting user-controlled forms and login interfaces mix within a single same-origin context appears to be not necessarily a good idea for time being.
 69 | 
 70 | Several of the relevant password manager behaviors are shown below:
 71 | 
 72 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
 73 | || <font color="#3050a0">Password manager operation model</font> || <font color="#30ff30">needs user name</font> || <font color="#30ff30">needs user name</font> || <font color="#30ff30">needs user name</font> || auto-fills on load || auto-fills on load || auto-fills on load || <font color="#30ff30">needs UI action</font> || auto-fills on load || auto-fills on load ||
 74 | || <font color="#3050a0">Are stored passwords restricted to a full URL path?</font> || <font color="#30ff30">YES</font> || <font color="#30ff30">YES</font> || <font color="#30ff30">YES</font> || NO || NO || NO || NO || NO || NO ||
 75 | || <font color="#3050a0">Are stored `https` passwords restricted to SSL only?</font> || YES || YES || YES || YES || YES || YES || YES || YES || <font color="#ff0000">NO</font> ||
 76 | 
 77 | <b></b>
 78 | 
 79 | Robert Chapin offers some additional research into [http://www.info-svc.com/news/2008/12-12/ password manager scoping habits], exploring some non-security considerations as well.
 80 | 
 81 | ==Microsoft Internet Explorer zone model==
 82 | 
 83 | All current versions of Internet Explorer utilize an interesting concept of [http://support.microsoft.com/kb/174360 security zones], not shared with any other browser on the market. The idea behind the approach is to compartmentalize resources into various categories, depending on the degree of trust given - and then control almost all security settings for these groups separately. The following zones are defined:
 84 | 
 85 |   * *My computer:* a container for all local `file:///` resources, with the exception of documents annotated with mark-of-the-web tags. The user has no control over what gets included into this zone, although an `urlmon.dll` API is provided to give certain protocol handlers the ability to define additional mappings ([http://msdn.microsoft.com/en-us/library/ms537133(VS.85).aspx reference]).
 86 | 
 87 |   * *Local intranet:* a container for all sites determined by simple configurable heuristics to belong to the local network (non-FQDN host names, proxy server exception list, content accessed over SMB). The user may list additional host names to include in this zone.
 88 | 
 89 |   * *Trusted sites:* an empty container for trusted pages. This group enjoys certain elevated privileges, particularly to run ActiveX controls, install desktop elements, or programatically access the clipboard. The user is expected to populate the zone with trusted sites that require these permissions to operate.
 90 | 
 91 |   * *Restricted sites:* an empty container for untrusted pages. This group has many of the rudimentary permissions taken away, such as the ability to initiate file downloads or use `<META HTTP-EQUIV="Refresh" ...>`. The user is expected to populate the zone with sites he would rather approach with caution (presumably ahead of the first planned visit).
 92 | 
 93 |   * *Internet:* a default container for all sites on the Internet not included in any of the remaining categories.
 94 | 
 95 | This design makes it possible to, for example, fine-tune the permissions of `file:///` resources without impacting Internet sites, or to forbid navigation from "Internet" to "Local intranet" - and from this perspective, appears to offer a major security benefit. On the flip side:
 96 | 
 97 |   * Quite a few important security settings are excluded from the zone model, somewhat diminishing its value; for example, cookie permissions or SSL behavior is controlled elsewhere.
 98 | 
 99 |   * The number of settings currently offered in this model is remarkably high, and many of them appear to be too finely grained, or have vague or confusing descriptions with security impact not clearly explained (_"Script controls marked as safe for scripting"_, _"Navigate sub-frames across different domains"_), increasing the risk of hard-to-spot configuration errors.
100 | 
101 |   * The model fails to account for the impact of cross-site scripting flaws in trusted sites. Since users add pages such as Windows Update, their banks, and other legacy sites that may not always work properly in the "Internet" zone to "Trusted sites", giving them a lot of unnecessary permissions as a side effect, the impact of cross-site scripting flaws on these pages may result in the attacker suddenly gaining the ability to carry out dangerous actions normally not available to Internet content.
102 | 
103 |   * The complexity of the model and the permissive settings of some zones resulted in a [http://www.securityfocus.com/news/8998 large number of security problems] that could easily be avoided by employing a simpler approach instead.
104 | 
105 | ==Microsoft Internet Explorer frame restrictions==
106 | 
107 | Another interesting, little-known security feature unique to Microsoft Internet Explorer is the concept of [http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx SECURITY=RESTRICTED frames]. The idea behind the mechanism is that some services may have a legitimate use for limiting the ability of data displayed within `<IFRAME>` containers to disrupt the top-level document or abuse same-origin policies - and so, with the `SECURITY=RESTRICTED` attribute, the content may be placed in the "Restricted sites" zone, and - in theory - deprived of the ability to run disruptive scripts or access cookies.
108 | 
109 | No support outside of Microsoft Internet Explorer makes this feature useless as a security defense for most intents and purposes; but the mechanism needs to be considered for its potential negative security impact, such as the ability to prevent frame busting code from operating properly and making [http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing) UI redress attacks] a bit easier. No support for HTTP cookies within a restricted container would normally limit the impact, but flaws in the design are known.
110 | 
111 | Due to its minimal use, the mechanism likely received very little security scrutiny otherwise.
112 | 
113 | ==HTML5 sandboxed frames==
114 | 
115 | A better-developed descendant of the `SECURITY=RESTRICTED` is the current HTML5 proposal for [http://www.w3.org/TR/html5/text-level-semantics.html#attr-iframe-sandbox sandboxed frames]. The design appears to be considerably more robust and offers a better granularity for restricting the behavior of framed sites: embedding domains will be able to disallow scripting altogether; allow Java<b></b>Script but make all same-origin policy checks fail;  or allow scripting, but prevent navigating the top-level document to prevent framebusting.
116 | 
117 | Of all these features, the ability to place content in a same-origin policy sandbox is the most tricky one. Perhaps most importantly, the attacker could simply open the normally framed document directly (this is prevented by using `text/html-sandboxed` as a MIME type; but [http://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors content sniffing logic] will render this trick unsafe in certain browsers). The other significant problem is that mechanisms such as local storage and workers (see next chapter), form autocomplete, and so forth, need to be specifically accounted forth and denied access to - something that will likely prove challenging in the long run.
118 | 
119 | ==HTML5 storage, cache, and worker experiments==
120 | 
121 | Firefox 2 embraced the idea of [https://developer.mozilla.org/En/DOM/Storage globalStorage], a somewhat haphazard mechanism that permitted data to be stored persistently for offline use in a local database shared across all sites (and until Firefox 2, with no strong security controls on scoping). The concept of `globalStorage` originated with early HTML5 drafts, although there, got eventually ditched in favor of a more tightly controlled [http://dev.w3.org/html5/webstorage/#the-sessionstorage-attribute sessionStorage] and [http://dev.w3.org/html5/webstorage/#dom-localstorage localStorage] APIs, supported by Firefox 3.6, Internet Explorer 8, Opera, and WebKit-based browsers.
122 | 
123 | Another idea of [http://www.w3.org/TR/2009/WD-html5-20090212/structured-client-side-storage.html#sql SQL database] support made rounds, but originally failed to gain any support.
124 | 
125 | _WARNING: The implementation of `sessionStorage` and `localStorage` in Internet Explorer 8 dangerously deviates from the standard, treating storages managed by HTTP and HTTPS content as same-origin. The `sessionStorage` implementation in Firefox 3.6 also permits properties set by HTTP pages to be read by HTTPS content, but not vice versa - which can be problematic._
126 | 
127 | Further along the lines of offline storage mechanisms, Firefox 3 introduced, and Firefox 3.1 revised in a largely incompatible manner, the concept of [https://developer.mozilla.org/en/Offline_resources_in_Firefox cache manifests] that permit sites to opt for having certain resources persistently stored in a site-specific cache, and then retrieved from there instead of being looked up on the net. The feature is again borrowed from the ever-shifting HTML5 specification (and now also available in WebKit browsers).
128 | 
129 | [http://www.whatwg.org/specs/web-workers/current-work/ Web workers] are another HTML5 design along these lines, starting to ship with WebKit browsers. The idea is to permit asynchronous, background Java<b></b>Script execution in a separate process; dedicated workers would be tied to their opener, and terminated when the page closes; shared workers are not bound to their origin, and free to use `postMessage` API to interact with third-party domains; and persistent workers may be allowed to launch and execute across browser sessions with no additional dependencies of any sort. There are still some kinks in the design documents at this point, however.
130 | 
131 | ==Microsoft Internet Explorer XSS filtering==
132 | 
133 | An experimental [http://blogs.technet.com/swi/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx reflected HTML injection filter] is available in Microsoft Internet Explorer 8. The filter attempts to disable any Javascript on the page that seems to be copied from query parameters. The complexity of escaping rules, jiffy handling of certain character sets, and quirky rules for parsing HTML documents, all make it likely that the mechanism would never achieve a 100% coverage - a property that Microsoft [http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx pragmatically acknowledges] in their design proposals. As such, the mechanism would likely serve to complement, rather than replace, proper server-side development practices.
134 | 
135 | An important downside of the design is that it aims to selectively disable script snippets that appear in URL query parameters, instead of displaying an interstitial or other security prompt, and permitting the page to display in full, or not display at all. This behavior may potentially enable attackers to carefully take out [http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing) frame-busting code] or other security-critical components of targeted applications, while leaving the rest of the functionality intact. 
136 | 
137 | The filter also features a same-origin exception that inhibits filtering when site-supplied links are followed. In many complex web applications, this may be used to bypass the mechanism altogether.
138 | 
139 | ==Script restriction frameworks==
140 | 
141 | Several experimental browser-side or client-side designs aim to provide control over same-origin permissions for scripts, or over when scripts may execute on pages to begin with. Although such features would not necessarily prevent all the potential negative effects of rendering attacker-controlled HTML in trusted domains, a well-executed solution could indeed avert most of the high-impact vulnerabilities.
142 | 
143 | There are two primary classes of solutions proposed:
144 | 
145 |   * *Comprehensive script security frameworks:* these approaches strive to offer the ability for site owner to approve or reject arbitrary actions executed by scripts with a great deal of flexibility. Examples include Microsoft [https://research.microsoft.com/users/yxie/papers/hotOS07.pdf Mutation-Event Transforms] for browser-side checks (not clear if this is being pursued in any browser), or Google [http://code.google.com/p/google-caja/ Caja] and Microsoft [http://websandbox.livelabs.com/Default.aspx Web Sandbox] for a solution that requires no browser-side tweaks.
146 | 
147 |   * *Selective script disable / enable functions:* these comparatively simpler solutions attempt to give web developers the tools to disable scripting in certain critical areas of the document, such as around user input or a block of intentionally non-sanitized HTML. One example such a proposal are Trevor Jim's [http://www.research.att.com/~trevor/papers/beep-tr.pdf Browser-Enforced Embedded Policies], or the [http://msdn.microsoft.com/en-us/library/cc848922(VS.85).aspx toStaticHTML() API] in Microsoft Internet Explorer 8.
148 | 
149 | ==Secure JSON parsing==
150 | 
151 | A traditional method for modern web applications to parse same-origin, serialized text Java<b></b>Script responses returned by servers in response to `XMLHttpRequest` calls is to pass them to `eval()` - which turns the string into a native object. Unfortunately, calls to `eval()` have a number of side effects - most notably, any code smuggled inside the string would execute in the recipient script security context, putting an additional burden on the server or the client to sanitize the code - and leading to many security bugs.
152 | 
153 | Several implementations of secure JSON parsers were proposed earlier, such as the (unsafe!) implementation suggested [http://www.ietf.org/rfc/rfc4627.txt RFC4627], but they generally combine varying levels of insecurity with very significant performance penalties.
154 | 
155 | In response to this, several browsers rolled out [http://blog.mozilla.com/webdev/2009/02/12/native-json-in-firefox-31/ JSON.parse()], a native non-executing JSON parser that could be used as a drop-in replacement for `eval()`. The interface does not address the much greater risk of loading cross-domain JavaScript information via `<SCRIPT SRC=...>` or similar approaches, and the cross-browser support is at this point very limited, shipping in Chrome and Firefox 3.5.
156 | 
157 | ==Origin headers==
158 | 
159 | Adam Barth, Collin Jackson, and other researchers propose the introduction of reliable [http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html Origin headers] as an answer to the risk of cross-site request forgery - giving sites the ability to reliably and easily decide whether a particular request [http://code.google.com/p/browsersec/wiki/Part2#Navigation_and_content_inclusion_across_domains permitted across domains] comes from a trusted party or not.
160 | 
161 | In theory, an existing `Referer` HTTP header could be used for the same purpose, but many users install tweaks to suppress it for privacy reasons; the header may also be dropped on certain page transitions, and was not generally designed to be reliable. `Origin` proposals attempt to limit the risk of the header being disabled by limiting the amount of data being sent across domains (host name, but no full URL; though arguably, it may still easily disclose undesirable information); and limiting the types of requests on which the header is provided (although this may undermine some of the security benefits associated with the solution).
162 | 
163 | ==Mozilla content security policies==
164 | 
165 | Brandon Sterne of Mozilla proposes [http://people.mozilla.org/~bsterne/content-security-policy/index.html content security policies] ([https://wiki.mozilla.org/Security/CSP/Spec specification]), a mechanism that would permit site owners to define a list of valid target domains for `<IMG>`, `<EMBED>`, `<APPLET>`, `<SCRIPT>`, `<IFRAME>`, and similar resources appearing in their content; and to disallow inline code from being used directly on a page.
166 | 
167 | The security benefit of these features is limited primarily to cross-site scripting prevention and webmaster policy enforcement; the proposal originally also incorporated the ability to define a list of valid origins for incoming requests as a method to mitigate cross-site request forgery attacks - but this part of the design got dropped in favor of more flexible and simpler `Origin` headers.
168 | 
169 | =Open browser engineering issues=
170 | 
171 | Other than the general design of HTTP, HTML, and related mechanisms discussed previously, a handful of browser engineering decisions tends to contribute to a disproportional number of day-to-day security issues. Understanding these properties is sometimes important for properly assessing the likelihood and maximum impact of security breaches, and hence determining the safety of user data. Some of the pivotal, open-ended issues include:
172 | 
173 |   * *Relatively unsafe core programming languages:* C++ is used for a majority of code in Internet Explorer, Firefox, Safari, Opera, and Chrome; C is used in certain high-performance or low-level areas, such as image manipulation libraries. The choice of C and C++ means that browsers are regularly plagued by memory management and integer overflow problems, despite considerable ongoing audit efforts.
174 | 
175 |   * *No security compartmentalization:* once control of the process is seized due to common implementation flaws, most browsers provide essentially unconstrained access to the user context they are running in. This means that browser bugs - historically, very common - easily lead to total system integrity loss.<p /><i>There are three exceptions: Chrome uses a [http://dev.chromium.org/developers/design-documents/sandbox security sandbox] to contain the renderer (which includes Web<b></b>Kit and V8, hence constituting one of the largest and most complicated bodies of code in the project). Access to system functions and browser-managed data is heavily constrained, and individual tabs are generally run in separate processes, with some exceptions for new tabs spawned in response to document navigation. Android, on the other hand, runs the browser in a dedicated user account, and then restricts the ability for this context to execute any undesirable actions in the system. Likewise, Internet Explorer 7, when running on Windows Vista, is running with reduced privileges as a whole ([http://msdn.microsoft.com/en-us/library/bb250462.aspx reference]).</i>.
176 | 
177 |   * *Web technologies are used in browser chrome:* Java<b></b>Script, HTML, and XML are all used to a varying degree to implement some browser internals and various diagnostic and error pages in most browsers. This choice contributes to an elevated risk of HTML injection flaws that permit web content to gain elevated chrome privileges, which - depending on the browser - may carry the permission to read or write files, access arbitrary sites on the Internet, or alter browser settings. The problem is particularly pronounced for Firefox, which implements much of its user interface in this manner.
178 | 
179 |   * *Inconsistent and overly complex security UIs:* a vast majority of browsers employ highly inconsistent UI elements and security messaging, including several styles of modal prompts, interstitials, icons, color codes, and messages that pop up either on the bottom or on the top of the document window. Usability studies consistently show that at least some of these features are easily mis-identified, misunderstood, or trivial to spoof (this is particularly the case for interstitials and notification bars that are not anchored in browser UI). Although a gradual improvement may be observed in certain aspects, further coordinated work in this area seems to be necessary; [http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html timing attack issues] are a particularly interesting problem to deal with.
180 | 
181 |   * *Ad hoc plugin security models:* every plugin enforces its own variant of the same-origin policy and HTTP stack security checks, often with subtle variations from the browser implementation, and with a relatively poor track record. There is no compelling reason why these checks should not be managed centrally in browser code, other than the absence of well-documented APIs. This situation leads to frequent plugin security model issues, and make web application development more challenging than needs to be.
182 | 
183 |   * *Inconsistent and haphazard data storage practices:* browsers use a mix of random storage methods to keep temporary files, downloads, configuration data, and sensitive records such as passwords, browsing history, saved cookies, or cache entries. These methods include system registry, database container files, drop-off directories, text-based configs (CSV, INI, tab-delimited, XML), and proprietary binary files. The data may be stored in user home directories, system-wide temporary directories, or global program installation folders. Controlling the permissions on all these resources and manipulating them securely is relatively difficult, contributing to many problems, particularly in multi-user systems, or when multiple browsers are used by the same user.
184 | 
185 |   * *General susceptibility to denial-of-service attacks:* as discussed in the section on Java<b></b>Script execution restrictions, browsers are generally vulnerable to resource exhaustion or UI blocking attacks that may crash or render the browser - or even the underlying operating system - unresponsive or difficult to interact with. In some cases, this may be even abused to extort certain UI actions from less experienced users. Even with Java<b></b>Script out of the picture, tasks such as parsing XML or HTML documents, or rendering certain types of images or videos, are often sufficiently computationally expensive to facilitate such attacks.
186 | 
187 |   * *Incompatibility with untrusted networks:* browsers will persistently cache resources retrieved over untrusted networks, such as public wifi - and will grant such content full access to previously cached pages or credentials. This problem makes it virtually impossible to use public wireless hotspots safely.
188 | 
189 | _([http://code.google.com/p/browsersec/wiki/Main Go back to the beginning])_


--------------------------------------------------------------------------------
/wiki/Part1.wiki:
--------------------------------------------------------------------------------
  1 | #summary Browser Security Handbook, part 1
  2 | 
  3 | <h1>Browser Security Handbook, part 1</h1>
  4 | 
  5 |   * Written and maintained by [http://lcamtuf.coredump.cx/ Michal Zalewski] <[mailto:lcamtuf@google.com lcamtuf@google.com]>. 
  6 |   * Copyright 2008, 2009 Google Inc, rights reserved.
  7 |   * Released under terms and conditions of the [http://creativecommons.org/licenses/by/3.0 CC-3.0-BY] license. 
  8 | 
  9 | <h1>Table of Contents</h1>
 10 | 
 11 |   * _[http://code.google.com/p/browsersec/wiki/Main ← Back to introduction]_
 12 | <wiki:toc max_depth="10" />
 13 |   * _[http://code.google.com/p/browsersec/wiki/Part2 → Forward to browser security features]_
 14 | 
 15 | =Basic concepts behind web browsers=
 16 | 
 17 | This section provides a review of core standards and technologies behind current browsers, and their security-relevant properties. No specific attention is given to features implemented explicitly for security purposes; these are discussed in later in the document.
 18 | 
 19 | ==Uniform Resource Locators==
 20 | 
 21 | All web resources are addressed with the use of uniform resource identifiers. Being able to properly parse the format, and make certain assumptions about the data present therein, is of significance to many server-side security mechanisms.
 22 | 
 23 | The abstract syntax for URIs is described in [http://www.ietf.org/rfc/rfc3986.txt RFC 3986]. The document defines a basic hierarchical URI structure, defining a white list of unreserved characters that may appear in URIs as-is as element names, with no particular significance assigned (`0-9 A-Z a-z - . _ ~`), spelling out reserved characters that have special meanings and can be used in some places only in their desired function (`: / ? # [ ] @ ! $ & ' ( ) * + , ; =`), and establishing a hexadecimal percent-denoted encoding (`%nn`) for everything outside these sets (including the stray `%` character itself).
 24 | 
 25 | Some additional mechanisms are laid out in [http://www.ietf.org/rfc/rfc1738.txt RFC 1738], which defines URI syntax within the scope of HTTP, FTP, NNTP, Gopher, and several other specific protocols. Together, these RFCs define the following syntax for common Internet resources (the compliance with a generic naming strategy is denoted by the `//` prefix):
 26 | 
 27 | {{{
 28 | scheme://[login[:password]@](host_name|host_address)[:port][/hierarchical/path/to/resource[?search_string][#fragment_id]]
 29 | }}}
 30 | 
 31 | Since the presence of a scheme is the key differentiator between relative references permitted in documents for usability reasons, and fully-qualified URLs, and since `:` itself has other uses later in the URL, the set of characters permitted for scheme name must be narrow and clearly defined (`0-9 A-Z a-z + - .`) so that all implementations may make the distinction accurately.
 32 | 
 33 | On top of the aforementioned documents, a W3C draft [http://www.w3.org/Addressing/rfc1630.txt RFC 1630] and a non-HTTP [http://www.ietf.org/rfc/rfc2368.txt RFC 2368] de facto outline some additional concepts, such as the exact HTTP search string syntax (`param1=val1[&param2=val2&...]`), or the ability to use the `+` sign as a shorthand notation for spaces (the character itself does not function in this capacity elsewhere in the URL, which is somewhat counterintuitive).
 34 | 
 35 | Although a broad range of reserved characters is defined as delimiters in generic URL syntax, only a subset is given a clear role in HTTP addresses at any point; the function of `[`, `]`, `!`, `$`, `'`, `(`, `)`, `*`, `;`, or `,` is not explicitly defined anywhere, but the characters are sometimes used to implement esoteric parameter passing conventions in oddball web application frameworks. The RFC itself sometimes implies that characters with no specific function within the scheme should be treated as regular, non-reserved ASCII characters; and elsewhere, suggests they retain a special meaning - in both cases creating ambiguities.
 36 | 
 37 | The standards that specify the overall URL syntax are fairly laid back - for example, they permit IP addresses such as `74.125.19.99` to be written in completely unnecessary and ambiguous ways such as `74.0x7d.023.99` (mixing decimal, octal, and hexadecimal notation) or `74.8196963` (24 bits coalesced). To add insult to injury, on top of this, browsers deviate from these standards in random ways, for example accepting URLs with technically illegal characters, and then trying to escape them automatically, or passing them as-is to underlying implementations - such as the DNS resolver, which itself then rejects or passes through such queries in a completely OS-specific manner.
 38 | 
 39 | A particularly interesting example of URL parsing inconsistencies is the two following URLs. The first one resolves to a different host in Firefox, and to a different one in most other browsers; the second one behaves uniquely in Internet Explorer instead:
 40 | 
 41 | {{{
 42 | http://example.com\@coredump.cx/
 43 | http://example.com;.coredump.cx/
 44 | }}}
 45 | 
 46 | Below is a more detailed review of the key differences that often need to be accounted for:
 47 | 
 48 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
 49 | || <font color="#3050a0">Characters ignored in front of URL schemes</font> || <font color="#ff0000">\x01-\x20</font> || <font color="#ff0000">\x01-\x20</font> || <font color="#ff0000">\x01-\x20</font> || \t \r \n \x20 || \t \r \n \x20 || \x20 || \t \r \n <font color="#ff0000">\x0B \x0C \xA0</font> || <font color="#ff0000">\x00-\x20</font> || \x20 ||
 50 | || <font color="#3050a0">Non-standard characters permitted in URL scheme names (excluding `0-9 A-Z a-z + - .`)</font> || \t \r \n || \t \r \n || \t \r \n || \t \r \n || \t \r \n || <font color="#909090">none</font> || \r \n <font color="#ff0000">+UTF8</font> || <font color="#ff0000">\0</font> \t \r \n || <font color="#909090">none</font> ||
 51 | || <font color="#3050a0">Non-standard characters kept as-is, with no escaping, in URL query strings (excluding `0-9 A-Z a-z - . _ ~ : / ? # [ ] @ ! $ & ' ( ) * + , ; =`)^*^</font> || <font color="#ff0000">" < > \</font> ^ ` { | } \x7F || <font color="#ff0000">" < > \</font> ^ ` { | } \x7F || <font color="#ff0000">" < > \</font> ^ ` { | } \x7F || <font color="#ff0000">\</font> ^ { | } || <font color="#ff0000">\</font> ^ { | } || ^ { | } || ^ { | } \x7F || <font color="#ff0000">" \</font> ^ ` { | } || <font color="#909090">n/a</font> ||
 52 | || <font color="#3050a0">Non-standard characters fully ignored in host names</font> || \t \r \n || \t \r \n \xAD || \t \r \n \xAD || \t \r \n \xAD || \t \r \n \xAD || \xAD || \x0A-\x0D \xA0 \xAD || \t \r \n \xAD || <font color="#909090">none</font> ||
 53 | || <font color="#3050a0">Types of partial or broken URLs auto-corrected to fully qualified ones</font> || //y \\y || //y \\y || //y \\y || //y x:///y x://`[y]` || //y x:///y x://`[y]` || //y \\y x:/y x:///y || //y \\y x://`[y]` || //y \\y x:///y || //y \\y ||
 54 | || <font color="#3050a0">Is fragment ID (hash) encoded by applying RFC-mandated URL escaping rules?</font> || <font color="#ff0000">NO</font> || <font color="#ff0000">NO</font> || <font color="#ff0000">NO</font> || <font color="#ff0000">PARTLY</font> || <font color="#ff0000">PARTLY</font> || YES || <font color="#ff0000">NO</font> || <font color="#ff0000">NO</font> || YES ||
 55 | || <font color="#3050a0">Are non-reserved `%nn` sequences in URL path decoded in address bar?</font> || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || <font color="#ff0000">YES</font> || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#909090">n/a</font> ||
 56 | || <font color="#3050a0">Are non-reserved `%nn` sequences in URL path decoded in `location.href`?</font> || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> ||
 57 | || <font color="#3050a0">Are non-reserved `%nn` sequences in URL path decoded in actual HTTP requests sent?</font> || NO || <font color="#30ff30">YES</font> || <font color="#30ff30">YES</font> || NO || NO || NO || NO || <font color="#30ff30">YES</font> || NO ||
 58 | || <font color="#3050a0">Characters rejected in URL login or password (excluding `/ # ; ? : % @`)</font> || \x00 <font color="#30ff30">\</font> || \x00 <font color="#30ff30">\</font> || \x00 <font color="#30ff30">\</font> || <font color="#909090">none</font> || <font color="#909090">none</font> || \x00-\x20 " < > `[` <font color="#30ff30">\</font> `]` ^ ` { | } \x7f-\xff || \x00 || \x00 \x01 <font color="#30ff30">\</font> || \x00-\x20 " < > `[` <font color="#30ff30">\</font> `]` ^ ` { | } \x7f-\xff ||
 59 | || <font color="#3050a0">URL authentication data splitting behavior with multiple `@` characters</font> || leftmost || leftmost || leftmost || <font color="#ff0000">rightmost</font> || <font color="#ff0000">rightmost</font> || leftmost || <font color="#ff0000">rightmost</font> || <font color="#ff0000">rightmost</font> || leftmost ||
 60 | 
 61 | _^*^ Interestingly, Firefox 3.5 takes a safer but non-RFC-compliant approach of encoding stray ' characters as %27 in URLs, in addition to the usual escaping rules._
 62 | 
 63 | _NOTE: As an anti-phishing mechanism, additional restrictions on the use of `login` and `password` fields in URLs are imposed by many browsers; see the section on [http://code.google.com/p/browsersec/wiki/Part3#HTTP_authentication HTTP authentication] later on._
 64 | 
 65 | Please note that when links are embedded within HTML documents, [http://www.w3.org/TR/REC-html40/charset.html#h-5.3.2 HTML entity decoding] takes place before the link is parsed. Because of this, if a tab is ignored in URL schemes, a link such as `javascript&#09;:alert(1)` may be accepted and executed as Java<b></b>Script, just as `javascript<TAB>:alert(1)` would be. Furthermore, certain characters, such as `\x00` in Internet Explorer, or `\x08` in Firefox, may be ignored by HTML parsers if used in certain locations, even though they are not treated differently by URL-handling code itself.
 66 | 
 67 | ===Unicode in URLs===
 68 | 
 69 | Much like several related technologies used for web content transport, URLs do not have any particular character set defined by relevant RFCs; [http://www.ietf.org/rfc/rfc3986.txt RFC 3986] ambiguously states: _"In local or regional contexts and with improving technology, users might benefit from being able to use a wider range of characters; such use is not defined by this specification."_ The same dismissive approach is taken in HTTP header specification.
 70 | 
 71 | As a result, in the context of web URLs, any high-bit user input may and should be escaped as `%nn` sequences, but there is no specific guidance provided on how to transcode user input in system's native code page when talking to other parties that may not share this code page. On a system that uses UTF-8 and receives a URL containing Unicode `ą` in the path, this corresponds to a sequence of `0xC4 0x85` natively; however, when sent to a server that uses `ISO-8859-2`, the correct value sent should be `0xB1` (or alternatively, additional information about client-specific encoding should be included to make the conversion possible on server side). In practice, most browsers deal with this by sending UTF-8 data by default on any text entered in the URL bar by hand, and using page encoding on all followed links.
 72 | 
 73 | Another limitation of URLs traces back to DNS as such; [http://www.ietf.org/rfc/rfc1035.txt RFC 1035] permits only characters `A-Z a-z 0-9 -` in DNS labels, with period (`.`) used as a delimiter; some resolver implementations further permit underscore (`_`) to appear in DNS names, violating the standard, but other characters are almost universally banned. With the growth of the web, the need to accommodate non-Latin alphabets in host names was perceived by multiple parties - and the use of `%nn` encoding was not an option, because `%` as such was not on the list.
 74 | 
 75 | To solve this, [http://tools.ietf.org/html/rfc3490 RFC 3490] lays out a rather contrived encoding scheme that permitted Unicode data to be stored in DNS labels, and [http://tools.ietf.org/html/rfc3492 RFC 3492] outlines a specific implementation within DNS labels - commonly referred to as Punycode - that follows the notation of `xn--[US-ASCII part]-[encoded Unicode data]`. Any Punycode-aware browser faced with non US-ASCII data in a host name is expected to transform it to this notation first, and then perform a traditional DNS lookup for the encoded string.
 76 | 
 77 | Putting these two methods together, the following transformation is expected to be made internally by the browser:
 78 | 
 79 | {{{
 80 | http://www.ręczniki.pl/?ręcznik=1 → http://www.xn--rczniki-98a.pl/?r%C4%99cznik=1
 81 | }}}
 82 | 
 83 | Key security-relevant differences in high-bit URL handling are outlined below:
 84 | 
 85 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
 86 | || <font color="#3050a0">Request URL path encoding when following plain links</font> || UTF-8 || UTF-8 || UTF-8 || page encoding || UTF-8 || UTF-8 || UTF-8 || UTF-8 || UTF-8 ||
 87 | || <font color="#3050a0">Request URL query string encoding when following plain links</font> || <font color="#ff0000">page encoding, no escaping</font> || <font color="#ff0000">page encoding, no escaping</font> || <font color="#ff0000">page encoding, no escaping</font> || page encoding || page encoding || page encoding || page encoding || page encoding || page encoding ||
 88 | || <font color="#3050a0">Request URL path encoding for `XMLHttpRequest` calls</font> || page encoding || page encoding || page encoding || page encoding || page encoding || page encoding || page encoding || page encoding || page encoding ||
 89 | || <font color="#3050a0">Request URL query string encoding for `XMLHttpRequest` calls</font> || <font color="#ff0000">page encoding, no escaping</font> || <font color="#ff0000">page encoding, no escaping</font> || <font color="#ff0000">page encoding, no escaping</font> || page encoding || page encoding || <font color="#ff0000">mangled</font> || page encoding || <font color="#ff0000">mangled</font> || <font color="#ff0000">mangled</font> || 
 90 | || <font color="#3050a0">Request URL path encoding for manually entered URLs</font> || UTF-8 || UTF-8 || UTF-8 || UTF-8 || UTF-8 || UTF-8 || UTF-8 || UTF-8 || UTF-8 ||
 91 | || <font color="#3050a0">Request URL query string encoding for manually entered URLs</font> || <font color="#ff0000">transcoded to 7 bit</font> || <font color="#ff0000">transcoded to 7-bit</font> || <font color="#ff0000">transcoded to 7-bit</font> || UTF-8 || UTF-8 || UTF-8 || <font color="#ff0000">stripped to `?`</font> || UTF-8 || UTF-8 ||
 92 | || <font color="#3050a0">Raw Unicode in host names auto-converted to Punycode?</font> || NO || YES || YES || YES || YES || YES || YES || YES || NO ||
 93 | || <font color="#3050a0">Is percent-escaped UTF-8 in host names auto-converted to Punycode?</font> || (NO) || YES || YES || <font color="#ff0000">NO</font> || <font color="#ff0000">on retry</font> || YES || YES || YES || (NO) ||
 94 | || <font color="#3050a0">URL bar Unicode display method for host names</font> || (Punycode) || Unicode || Unicode || Unicode || Unicode || Unicode || Unicode || Unicode || (Punycode) ||
 95 | || <font color="#3050a0">URL bar Unicode display method outside host names</font> || Unicode || Unicode || Unicode || `%nn` || Unicode || Unicode || as `?` || Unicode || <font color="#909090">n/a</font> ||
 96 | 
 97 | _NOTE 1: Firefox generally uses UTF-8 to encode most URLs, but will send characters supported by ISO-8859-1 using that codepage._
 98 | 
 99 | _NOTE 2: As an anti-phishing mechanism, additional restrictions on the use of some or all Unicode characters in certain top-level domains are imposed by many browsers; see [http://code.google.com/p/browsersec/wiki/Part2#International_Domain_Name_checks domain name restrictions] chapter later on._
100 | 
101 | ==True URL schemes==
102 | 
103 | URL schemes are used to indicate what general protocol needs to be used to retrieve the data, and how the information needs to be processed for display. Schemes may also be tied to specific default values of some URL fields - such as a TCP port - or specific non-standard URL syntax parsing rules (the latter is usually denoted by the absence of a `//` string after scheme identifier).
104 | 
105 | Back in 1994, [http://www.ietf.org/rfc/rfc1738.txt RFC 1738] laid out several URL schemes in the context of web browsing, some of which are not handled natively by browsers, or have fallen into disuse. As the web matured, multiple new open and proprietary schemes appeared with little or no consistency, and the set of protocols supported by each browser began to diverge. [http://www.ietf.org/rfc/rfc2718.txt RFC 2718] attempted to specify some ground rules for the creation of new protocols, and [http://www.ietf.org/rfc/rfc4395.txt RFC 4395] mandated that new schemes be registered with IANA (their list is [http://www.iana.org/assignments/uri-schemes.html available here]). In practice, however, few parties could be bothered to follow this route.
106 | 
107 | To broadly survey the capabilities of modern browsers, it makes sense to divide URL schemes into a group natively supported by the software, and another group supported by a plethora of plugins, extensions, or third-party programs. The first list is relatively short:
108 | 
109 | || <font color="#3050a0">*Scheme name*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
110 | || <font color="#3050a0">HTTP ([http://www.ietf.org/rfc/rfc2616.txt RFC 2616])</font> || YES || YES || YES || YES || YES || YES || YES || YES || YES ||
111 | || <font color="#3050a0">HTTPS ([http://www.ietf.org/rfc/rfc2616.txt RFC 2818])</font> || YES || YES || YES || YES || YES || YES || YES || YES || YES ||
112 | || <font color="#3050a0">SHTTP ([http://www.ietf.org/rfc/rfc2660.txt RFC 2660])</font> || as HTTP || as HTTP || as HTTP || NO || NO || NO || NO || NO || NO ||
113 | || <font color="#3050a0">FTP ([http://www.ietf.org/rfc/rfc1738.txt RFC 1738])</font> || YES || YES || YES || YES || YES || YES || YES || YES || NO ||
114 | || <font color="#3050a0">file ([http://www.ietf.org/rfc/rfc1738.txt RFC 1738])</font> || YES || YES || YES || YES (local) || YES (local) || YES (local) || YES || YES || NO ||
115 | || <font color="#3050a0">Gopher ([http://www.ietf.org/rfc/rfc4266.txt RFC 4266])</font> || NO || NO || NO || YES || YES || NO || defunct? || NO || NO ||
116 | || <font color="#3050a0">news ([http://tools.ietf.org/html/draft-ellermann-news-nntp-uri-11 draft RFC])</font> || NO || NO || NO || NO || NO || NO || YES || NO || NO ||
117 | 
118 | These protocols may be used to deliver natively rendered content that is interpreted and executed using the security rules implemented within the browsers.
119 | 
120 | The other list, third-party protocols routed to other applications, depends quite heavily on system configuration. The set of protocols and their handlers is usually maintained in a separate system-wide registry. Browsers may whitelist some of them by default (executing external programs without prompting), or blacklist some (preventing their use altogether); the default action is often to display a mildly confusing prompt. Most common protocols in this family include:
121 | 
122 | {{{
123 | acrobat                           - Acrobat Reader
124 | callto                            - some instant messengers, IP phones
125 | daap / itpc / itms / ...          - Apple iTunes
126 | FirefoxURL                        - Mozilla Firefox
127 | hcp                               - Microsoft Windows Help subsystem
128 | ldap                              - address book functionality
129 | mailto                            - various mail agents
130 | mmst / mmsu / msbd / rtsp / ...   - streaming media of all sorts
131 | mso-offdap                        - Microsoft Office
132 | news / snews / nntp               - various news clients
133 | outlook / stssync                 - Microsoft Outlook
134 | rlogin / telnet / tn3270          - telnet client
135 | shell                             - Windows Explorer
136 | sip                               - various IP phone software
137 | }}}
138 | 
139 | New handlers might be registered in OS- and application-specific ways, for example by registering new `HKCR\Protocols\Handlers` keys in Windows registry, or adding `network.protocol-handler.*` settings in Firefox.
140 | 
141 | As a rule, the latter set of protocols is not honored within the renderer when referencing document elements such as images, script or applet sources, and so forth; they do work, however, as `<IFRAME>` and link targets, and will launch a separate program as needed. These programs may sometimes integrate seamlessly with the renderer, but the rules by which they render content and impose security restrictions are generally unrelated to the browser as such.
142 | 
143 | Historically, the ability to plant such third-party schemes in links proved to be a significant exploitation vector, as poorly written, vulnerable external programs often register protocol handlers without user's knowledge or consent; as such, it is prudent to reject unexpected schemes where possible, and exercise caution when introducing new ones on client side (including observing [http://www.securityfocus.com/bid/24837/ safe parameter passing conventions]).
144 | 
145 | ==Pseudo URL schemes==
146 | 
147 | In addition to the aforementioned "true" URL schemes, modern browsers support a large number of pseudo-schemes used to implement various advanced features, such as encapsulating encoded documents within URLs, providing legacy scripting features, or giving access to internal browser information and data views.
148 | 
149 | Encapsulating schemes are of interest to any link-handling applications, as these methods usually impose specific non-standard content parsing or rendering modes on top of existing resources specified in the later part of the URL. The underlying content is retrieved using HTTP, looked up locally (e.g., `file:///`), or obtained using other generic method - and, depending on how it's then handled, may execute in the security context associated with the origin of this data. For example, the following URL:
150 | 
151 | {{{
152 | jar:http://www.example.com/archive.jar!/resource.html
153 | }}}
154 | 
155 | ...will be retrieved over HTTP from `http://www.example.com/archive.jar`. Because of the encapsulating protocol, the browser will then attempt to interpret the obtained file as a standard Sun Java ZIP archive (`JAR`), and extract, then display `/resource.html` from within that archive, in the context of `example.com`.
156 | 
157 | Common encapsulating schemes are shown in the table below.
158 | 
159 | || <font color="#3050a0">*Scheme name*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
160 | || <font color="#3050a0">feed (RSS, [http://www.brindys.com/winrss/feedformat.html draft spec])</font> || NO || NO || NO || NO || NO || YES || NO || NO || NO ||
161 | || <font color="#3050a0">hcp, its, mhtml, mk, ms-help, ms-its, ms-itss (Windows help archive parsing)</font> || YES || YES || YES || NO || NO || NO || NO || NO || NO ||
162 | || <font color="#3050a0">jar ([http://docs.sun.com/source/819-0913/author/jar.html Java archive parsing])</font> || NO || NO || NO || YES || YES || NO || NO || NO || NO ||
163 | || <font color="#3050a0">view-cache, wyciwyg (cached page views)</font> || NO || NO || NO || YES || YES || NO || NO || YES || NO ||
164 | || <font color="#3050a0">view-source (page source views)</font> || NO || NO || NO || YES || YES || NO || NO || YES || NO ||
165 | 
166 | In addition to encapsulating schemes enumerated above, there are various schemes used for accessing browser-specific internal features unrelated to web content. These pseudo-protocols include `about:` (used to access static info pages, errors, cache statistics, configuration pages, [http://en.wikipedia.org/wiki/About: and more]), `moz-icon:` (used to access file icons), `chrome:`, `chrome-resource:`, `chromewebdata:`, `resource:`, `res:`, and `rdf:` (all used to reference built-in resources of the browser, often rendered with elevated privileges). There is little or no standardization or proper documentation for these mechanisms, but as a general rule, web content is not permitted to directly reference any sensitive data. Permitting them to go through on trusted pages may serve as an attack vector in case of browser-side vulnerabilities, however.
167 | 
168 | Finally, several pseudo-schemes exist specifically to enable scripting or URL-contained data rendering in the security context inherited from the caller, without actually referencing any additional external or internal content. It is particularly unsafe to output attacker-controlled URLs of this type on pages that may contain any sensitive content. Known schemes of this type include:
169 | 
170 | || <font color="#3050a0">*Scheme name*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
171 | || <font color="#3050a0">data (in-place documents, [http://www.ietf.org/rfc/rfc2397.txt RFC 2397])</font> || NO || NO || [http://msdn.microsoft.com/en-us/library/cc848897%28VS.85%29.aspx PARTIAL] || YES || YES || YES || YES || YES || YES ||
172 | || <font color="#3050a0">javascript ([http://developer.mozilla.org/en/docs/JavaScript web scripting])</font> || YES || YES || YES || YES || YES || YES || YES || YES || YES ||
173 | || <font color="#3050a0">vbscript ([http://msdn.microsoft.com/en-us/library/sx7b3k7y(VS.85).aspx Microsoft proprietary scripting])</font> || YES || YES || YES || NO || NO || NO || NO || NO || NO ||
174 | 
175 | 
176 | _NOTE: Historically, numerous aliases for these schemes were also present; `livescript` and `mocha` schemes were supported by Netscape Navigator and other early browsers as aliases for Java<b></b>Script; `local` worked in some browsers as a nickname for `file`; etc. This is not witnessed anymore._
177 | 
178 | ==Hypertext Transfer Protocol==
179 | 
180 | The core protocol used to request and annotate much of web traffic is called the Hypertext Transfer Protocol. This text-based communication method originated as a very simple, underspecified design drafted by Tim Berners-Lee, dubbed HTTP/0.9 ([http://www.w3.org/Protocols/HTTP/AsImplemented.html see W3C archive]) - these days no longer used by web browsers, but recognized by some servers. It then evolved into a fairly complex, and still somewhat underspecified HTTP/1.1, as described in [http://www.ietf.org/rfc/rfc2616.txt RFC 2616], whilst maintaining some superficial compatibility with the original idea.
181 | 
182 | Every HTTP request opens with a single-line description of a content access method (`GET` meant for requesting basic content, and `POST` meant for submitting state-changing data to servers - along with plethora of more specialized options typically not used by web browsers under normal circumstances). In HTTP/1.0 and up, this is then followed by protocol version specification - and the opening line itself is followed by zero or more additional `field: value` headers, each occupying their own line. These headers specify all sorts of meta-data, from target host name (so that a single machine may host multiple web sites), to information about client-supported MIME types, cache parameters, the site from which a particular request originated (`Referer`), and so forth. Headers are terminated with a single empty line, followed by any optional payload data being sent to the server if specified by a `Content-Length` header. 
183 | 
184 | One example of an HTTP request might be:
185 | 
186 | {{{
187 | POST /fuzzy_bunnies/bunny_dispenser.php HTTP/1.1
188 | Host: www.fuzzybunnies.com
189 | User-Agent: Bunny-Browser/1.7
190 | Content-Type: text/plain
191 | Content-Length: 12
192 | Referer: http://www.fuzzybunnies.com/main.html
193 | 
194 | HELLO SERVER
195 | }}}
196 | 
197 | The server responds in a similar manner, returning a numerical status code, spoken protocol version, and similarly formatted metadata headers followed by actual content requested, if available:
198 | 
199 | {{{
200 | HTTP/1.1 200 OK
201 | Server: Bunny-Server/0.9.2
202 | Content-Type: text/plain
203 | Connection: close
204 | 
205 | HELLO CLIENT
206 | }}}
207 | 
208 | Originally, every connection would be one-shot: after a request is sent, and response received, the session is terminated, and a new connection needs to be established. Since the need to carry out a complete TCP/IP handshake for every request imposed a performance penalty, newer specifications introduced the concept of keep-alive connections, negotiated with a particular request header that is then acknowledged by the server.
209 | 
210 | This, in conjunction with the fact that HTTP supports proxying and content caching on interim systems managed by content providers, ISPs, and individual subscribers, made it particularly important for all parties involved in an HTTP transaction to have exactly the same idea of where a request starts, where it ends, and what it is related to. Unfortunately, the protocol itself is highly ambiguous and has a potential for redundancy, which leads to multiple problems and differences between how servers, clients, and proxies may interpret responses:
211 | 
212 |   * Like many other text protocols of that time, early takes on HTTP made little or no effort to mandate a strict adherence to a particular understanding of what a text-based format really is, or how certain "intuitive" field values must be structured. Because of this, implementations would recognize, and often handle in incompatible ways, technically malformed inputs - such as incorrect newline characters (lone `CR`, lone `LF`, `LF CR`), `NUL` or other disruptive control characters in text, incorrect number of whitespaces in field delimiters, and so forth; to various implementations, `Head\0er: Value` may appear as `Head`, `Head: Value`, `Header: Value`, or `Head\0er: Value`. In later versions, as outlined in RFC 2616 section 19.3 ("Tolerant Applications"), the standard explicitly recommends, but does not require, lax parsing of certain fields and invalid values. One of the most striking examples of compatibility kludges is Firefox [http://mxr.mozilla.org/mozilla1.8.0/source/nsprpub/pr/src/misc/prtime.c#1045 prtime.c] function used to parse HTTP `Date` fields, which shows a stunning complexity behind what should be a remarkably simple task.
213 | 
214 |   * No particular high bit character set is defined for HTTP headers, and high bit characters are allowed by HTTP/1.0 with no further qualification, then technically disallowed by HTTP/1.1, unless encoded in accordance with [http://www.ietf.org/rfc/rfc2047.txt RFC 2047]. In practice, there are legitimate reasons for such characters to appear in certain HTTP fields (e.g., `Cookie`, `Content-Disposition` filenames), and most implementations do not support RFC 2047 in all these places, or find support for it incompatible with other RFCs (such as the specifications for `Cookie` headers again). This resulted in some implementations interpreting HTTP data as UTF-8, and some using single-byte interpretations native to low-level OS string handling facilities.
215 | 
216 |    * The behavior when some headers critical to the correct understanding of an HTTP request are duplicate or contradictory is not well defined; as such, various clients will give precedence to different occurrences of the same parameter within HTTP headers (e.g., duplicate `Content-Type`), or assign various weights to conflicting information (say, `Content-Length` not matching payload length). In other cases, the precedence might be defined, but not intuitive - for example, RFC 2616 section 5.2 says that absolute request URI data takes precedence over `Host` headers.
217 | 
218 |    * When new features that change the meaning of requests were introduced in HTTP/1.1 standard, no strict prohibition against recognizing them in requests or responses marked as HTTP/1.0 was made. As a result, the understanding of HTTP/1.0 traffic may differ significantly between legacy agents, such as some commercial web proxies, and HTTP/1.1 applications such as contemporary browsers (e.g., `Connection: keep-alive`, `Transfer-Encoding: chunked`, `Accept-Encoding: ...`).
219 | 
220 | Many specific areas, such as caching behavior, have their own sections later in this document. Below is a survey of general security-relevant differences in HTTP protocol implementations:
221 | 
222 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
223 | || <font color="#3050a0">Header-less (HTTP/0.9) responses supported?</font> || YES || YES || YES || YES || YES || YES || YES || YES || YES ||
224 | || <font color="#3050a0">Lone CR (`0x0D`) treated as a header line separator?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO ||
225 | || <font color="#3050a0">`Content-Length` header value overrides actual content length?</font> || NO || YES || YES || NO || NO || YES || YES || NO || YES ||
226 | || <font color="#3050a0">First HTTP header of the same name takes precedence?</font> || YES || YES || YES || NO || NO || YES || NO || YES || NO ||
227 | || <font color="#3050a0">First field value in a HTTP header takes precedence?</font> || YES || YES || YES || YES || YES || YES || YES || YES || YES ||
228 | || <font color="#3050a0">Is `Referer` header sent on HTTPS → HTTPS navigation?</font> || YES || YES || YES || YES || YES || YES || <font color="#30ff30">NO</font> || YES || YES ||
229 | || <font color="#3050a0">Is `Referer` header sent on HTTPS → HTTP navigation?</font> || NO || NO || NO || NO || NO || NO || NO || NO || NO ||
230 | || <font color="#3050a0">Is `Referer` header sent on HTTP → HTTPS → HTTP redirection?</font> || YES || YES || YES || YES || YES || YES || YES || <font color="#30ff30">NO</font> || YES ||
231 | || <font color="#3050a0">Is `Referer` header sent on pseudo-protocol → HTTP navigation?</font> || NO || NO || NO || NO || NO || NO || NO || NO || NO ||
232 | || <font color="#3050a0">Is fragment ID included in `Referer` on normal requests?</font> || NO || NO || NO || NO || NO || NO || NO || NO || NO ||
233 | || <font color="#3050a0">Is fragment ID included in `Referer` on `XMLHttpRequest`?</font> || YES || YES || YES || NO || NO || NO || NO || NO || NO ||
234 | || <font color="#3050a0">Response body on invalid 30x redirect shown to user?</font> || NO || NO || NO || YES || YES || NO || YES || YES || NO ||
235 | || <font color="#3050a0">High-bit character handling in HTTP cookies</font> || <font color="#ff0000">transcoded to 7 bit</font> || <font color="#ff0000">transcoded to 7 bit</font> || <font color="#ff0000">transcoded to 7 bit</font> || <font color="#ff0000">mangled</font> || <font color="#ff0000">mangled</font> || UTF-8 || UTF-8 || UTF-8 || UTF-8 ||
236 | || <font color="#3050a0">Are `quoted-string` values supported for HTTP cookies?</font> || <font color="#ff0000">NO</font> || <font color="#ff0000">NO</font> || <font color="#ff0000">NO</font> || YES || YES || <font color="#ff0000">NO</font> || YES || <font color="#ff0000">NO</font> || YES ||
237 | 
238 | _NOTE 1: `Referer` will always indicate the site from which the navigation originated, regardless of any 30x redirects in between. If it is desirable to hide the original URL from the destination site, Java<b></b>Script pseudo-protocol hops, or `Refresh` redirection, needs to be used._
239 | 
240 | _NOTE 2: `Refresh` header tokenization in MSIE occurs in a very unexpected manner, making it impossible to navigate to URLs that contain any literal `;` characters in them, unless the parameter is enclosed in additional quotes. The tokenization also historically permitted cross-site scripting through URLs such as:_
241 | 
242 | {{{
243 | http://example.com;URL=javascript:alert(1)
244 | }}}
245 | 
246 | _Unlike in all other browsers, older versions of Internet Explorer would interpret this as two `URL=` directives, with the latter taking precedence:_
247 | 
248 | {{{
249 | Refresh: 0; URL=http://example.com;URL=javascript:alert(1)
250 | }}}
251 | 
252 | ==Hypertext Markup Language==
253 | 
254 | Hypertext Markup Language, the primary document format rendered by modern web browsers, has its roots with [http://en.wikipedia.org/wiki/SGML Standard Generalized Markup Language], a standard for machine-readable documents. The initial [http://www.w3.org/History/19921103-hypertext/hypertext/WWW/MarkUp/Tags.html HTML draft] provided a very limited syntax intended strictly to define various functional parts of the document. With the rapid development of web browsers, this basic technology got extended very rapidly and with little oversight to provide additional features related to visual presentation, scripting, and various perplexing and proprietary bells and whistles. Perhaps more interestingly, the format was also extended to provide the ability to embed other, non-HTTP multimedia content on pages, nest HTML documents within frames, and submit complex data structures and client-supplied files.
255 | 
256 | The mess eventually led to a post-factum compromise standard dubbed [http://www.w3.org/TR/REC-html32 HTML 3.2]. The outcome of this explosive growth was a format needlessly hard to parse, and combining unique quirks, weird limitations, and deeply intertwined visual style and document structure information - and so ever since, W3C and WHATWG focused on making HTML a clean, strict, and well-defined language, a goal at least approximated with [http://www.w3.org/TR/html401/ HTML 4] and [http://www.w3.org/TR/xhtml2/ XHTML] (a variant of HTML that strictly conforms to XML syntax rules), as well as the ongoing work on [http://www.w3.org/TR/html5/ HTML 5].
257 | 
258 | This day, the four prevailing HTML document rendering implementations are:
259 | 
260 |   * [http://msdn.microsoft.com/en-us/library/aa741317.aspx Trident] (MSHTML) - used in MSIE6, MSIE7, MSIE8,
261 |   * [http://developer.mozilla.org/en/Gecko Gecko] - used in Firefox and derivates,
262 |   * [http://webkit.org/ WebKit] - used by Safari, Chrome, Android,
263 |   * Presto - used in Opera.
264 | 
265 | The ability for various applications to accurately understand HTML document structure, as it would be seen by a browser, is an important security challenge. The serial nature of the HTML blends together code (Java<b></b>Script, Flash, Java applets) and the actual data to be displayed - making it easy for attackers to smuggle dangerous directives along with useful layout information in any external content. Knowing exactly what is being rendered is often crucial to site security (see [http://code.google.com/p/doctype/wiki/ArticleXSS this article] for a broader discussion of the threat).
266 | 
267 | Sadly, for compatibility reasons, parsers operating in non-XML mode tend to be generally lax and feature proprietary, incompatible, poorly documented recovery modes that make it very difficult for any platform to anticipate how a third-party HTML document - or portion thereof - would be interpreted. Any of the following grossly malformed examples may be interpreted as a scripting directive by some, but usually not all, renderers:
268 | 
269 | {{{
270 | 01: <B <SCRIPT>alert(1)</SCRIPT>>
271 | 02: <B="<SCRIPT>alert(1)</SCRIPT>">
272 | 03: <IMG SRC=`javascript:alert(1)`>
273 | 04: <S[0x00]CRIPT>alert(1)</S[0x00]CRIPT>
274 | 05: <A """><IMG SRC="javascript:alert(1)">
275 | 06: <IMG onmouseover =alert(1)>
276 | 07: <A/HREF="javascript:alert(1)">
277 | 08: <!-- Hello -- world > <SCRIPT>alert(1)</SCRIPT> -->
278 | 09: <IMG ALT="><SCRIPT>alert(1)</SCRIPT>"(EOF)
279 | 10: <![><IMG ALT="]><SCRIPT>alert(1)</SCRIPT>">
280 | }}}
281 | 
282 | [http://code.google.com/p/doctype/wiki/ArticlesXSS Cross-site scripting] aside, another interesting property of HTML is that it permits certain HTTP directives to be encoded within HTML itself, using the following format:
283 | 
284 | {{{
285 | <META HTTP-EQUIV="Content-Type" VALUE="text/html; charset=utf-8">
286 | }}}
287 | 
288 | Not all `HTTP-EQUIV` directives are meaningful - for example, the determination of `Content-Type`, `Content-Length`, `Location`, or `Content-Disposition` had already been made by the time HTML parsing begins - but some values seen may be set this way. The strategy for resolving HTTP - HTML conflicts is not outlined in W3C standards - but in practice, valid HTTP headers take precedence over `HTTP-EQUIV`; on the other hand, `HTTP-EQUIV` takes precedence over unrecognized HTTP header values. `HTTP-EQUIV` tags will also take precedence when the content is moved to non-HTTP media, such as saved to local disk.
289 | 
290 | A fascinating quirk exists in the Internet Explorer HTML parser. While all other browsers accept quoted string parameter values only if the quote appear in front of the parameter, MSIE looks for an _equals-quote_ substring anywhere in the middle:
291 | 
292 | {{{
293 | <img src=test.jpg?value=">Yes, we are still inside a tag!">
294 | }}}
295 | 
296 | Other behaviors unique to Internet Explorer include the recognition of conditional HTML syntax, such as:
297 | 
298 | {{{
299 | <!--[if IE 6]>
300 |   Markup that will be parsed only for Internet Explorer 6
301 | <![endif]-->
302 | }}}
303 | 
304 | ...and the recognition of %-type, comment-like HTML tags.
305 | 
306 | Some of the other security-relevant differences between HTML parsing modes in the aforementioned engines are shown below:
307 | 
308 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
309 | || <font color="#3050a0">Parser resets on nested HTML tags (`<FOO <BAR...`)?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO ||
310 | || <font color="#3050a0">Recursive recovery with nested tags (both `FOO` and `BAR` interpreted)?</font> || (NO) || (NO) || (NO) || YES || YES || (NO) || (NO) || (NO) || (NO) ||
311 | || <font color="#3050a0">Parser resets out on invalid tag names (`<FOO="<BAR...`)?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO ||
312 | || <font color="#3050a0">Trace-back on missing tag closure (`<FOO BAR="><BAZ>"(EOF)`)?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || <font color="#ff0000">YES</font> || NO || NO ||
313 | || <font color="#3050a0">Trace-back on missing parameter closure (`<FOO BAR="><BAZ>(EOF)`)?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || <font color="#ff0000">YES</font> || NO || NO ||
314 | || <font color="#3050a0">SGML-style comment parsing permitted in strict mode (`--` and `>` may appear separately)?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO ||
315 | || <font color="#3050a0">`CDATA` blocks supported in plain HTML documents?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || <font color="#ff0000">YES</font> || NO || NO ||
316 | || <font color="#3050a0">!- and ?-type tags are parsed in a non-HTML manner (`<!FOO BAR="-->"...` breaks)?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || <font color="#ff0000">YES</font> || NO || NO ||
317 | || <font color="#3050a0">Characters accepted as tag name / parameter separators (excluding `\t \r \n \x20`)</font> || \x0B \x0C <font color="#ff0000">/</font> || \x0B \x0C <font color="#ff0000">/</font> || NO || <font color="#ff0000">/</font> || <font color="#ff0000">/</font> || \x0B \x0C || \x0B \x0C \xA0 || \x0B \x0C || \x0B \x0C ||
318 | || <font color="#3050a0">Characters ignored between parameter name, equals sign, and value (excluding `\t \r \n`)</font> || \0 \x0B \x0C \x20 || \0 \x0B \x0C \x20 || \0 \x0B \x0C \x20 || \x20 || \x20 || \0 \x0B \x0C \x20 || \x20 \xA0 || \0 \x0B \x0C \x20 || \0 \x0B \x0C \x20 ||
319 | || <font color="#3050a0">Characters accepted in lieu of quotes for HTML parameters (excluding `"`)</font> || ' <font color="#ff0000">`</font> || ' <font color="#ff0000">`</font> || ' <font color="#ff0000">`</font> || ' || ' || ' || ' || ' || ' || 
320 | || <font color="#3050a0">Characters accepted in tag names (excluding `A-Z / ? !`)</font> || <font color="#ff0000">\0 %*</font>|| <font color="#ff0000">\0 %</font> || <font color="#ff0000">\0 %</font> || <font color="#909090">none</font> || <font color="#909090">none</font> || <font color="#909090">none</font> || <font color="#ff0000">\0</font> || <font color="#909090">none</font> || <font color="#909090">none</font> ||
321 | 
322 | For a good overview of these and many other HTML parsing quirks, you should probably have a look at [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 "Web Application Obfuscation"], a book by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, and David Lindsay.
323 | 
324 | _NOTE 1: to add insult to injury, special HTML handling rules seem to be sometimes applied to specific sections of a document; for example, `\x00` character is ignored by Internet Explorer, and `\x08` by Firefox, in certain HTML contexts, but not in others; most notably, they are ignored in HTML tag parameter values in respective browsers._
325 | 
326 | _NOTE 2: the behavior of HTML parsers, WebKit in particular, is changing rapidly due to some of the HTML5 work._
327 | 
328 | ===HTML entity encoding===
329 | 
330 | HTML features a special encoding scheme called [http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references HTML entities]. The purpose of this scheme is to make it possible to safely render certain reserved HTML characters (e.g., `< > &`) within documents, as well as to carry high bit characters safely over 7-bit media. The scheme nominally permits three types of notation:
331 | 
332 |   * One of predefined, named entities, in the format of `&<name>;` - for example `&lt;` for `<`, `&gt;` for `>`, `&rarr;` for `→`, etc,
333 | 
334 |   * Decimal entities, `&#<nn>;`, with a number corresponding to the desired Unicode character value - for example `&#60;` for `<`, `&#8594;` for `→`,
335 | 
336 |   * Hexadecimal entities, `&#x<nn>;`, likewise - for example `&#x3c;` for `<`, `&#x2192;` for `→`.
337 | 
338 | In every browser, HTML entities are decoded only in parameter values and stray text between tags. Entities have no effect on how the general structure of a document is understood, and no special meaning in sections such as `<SCRIPT>`. The ability to understand and parse the syntax is still critical to properly understanding the value of a particular HTML parameter, however. For example, as hinted in one of the earlier sections, `<A HREF="javascript&#09;:alert(1)">` may need to be parsed as an absolute reference to `javascript<TAB>:alert(1)`, as opposed to a link to something called `javascript&` with a local URL hash string part of `#09;alert(1)`.
339 | 
340 | Unfortunately, various browsers follow different parsing rules to these HTML entity notations; all rendering engines recognize entities with no proper `;` terminator, and all permit entities with excessively long, zero-padded notation, but with various thresholds:
341 | 
342 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
343 | || <font color="#3050a0">Maximum length of a correctly terminated decimal entity</font> || <font color="#ff0000">7</font> || <font color="#ff0000">7</font> || <font color="#ff0000">7</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> ||
344 | || <font color="#3050a0">Maximum length of an incorrectly terminated decimal entity</font> || <font color="#ff0000">7</font> || <font color="#ff0000">7</font> || <font color="#ff0000">7</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> ||
345 | || <font color="#3050a0">Maximum length of a correctly terminated hex entity</font> || <font color="#ff0000">6</font> || <font color="#ff0000">6</font> || <font color="#ff0000">6</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> ||
346 | || <font color="#3050a0">Maximum length of an incorrectly terminated hex entity</font> || 0 || 0 || 0 || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> || <font color="#ff0000">∞</font> ||
347 | || <font color="#3050a0">Does entity value wraps around 2^32?</font> || NO || NO || NO || NO || NO || YES || NO || YES || YES ||
348 | || <font color="#3050a0">Characters permitted in entity names (excluding `A-Z a-z 0-9`)</font> || <font color="#909090">none</font> || <font color="#909090">none</font> || <font color="#909090">none</font> || <font color="#ff0000">- . _</font> || <font color="#ff0000">- . _</font> || <font color="#909090">none</font> || <font color="#909090">none</font> || <font color="#909090">none</font> || <font color="#909090">none</font> ||
349 | 
350 | In WebKit, entries past a certain length used to get parsed, but incorrectly; for example, `&#000000065;` would become a sequence of three characters, `\x06 5 ;`. This has been fixed recently.
351 | 
352 | An interesting piece of trivia is that, as per HTML entity encoding requirements, links such as:
353 | 
354 | {{{
355 | http://example.com/?p1=v1&p2=v2
356 | }}}
357 | 
358 | Should be technically always encoded in HTML parameters (but not in Java<b></b>Script code) as:
359 | 
360 | {{{
361 | <a href="http://example.com/?p1=v1&amp;p2=v2">Click here</a>
362 | }}}
363 | 
364 | In practice, however, the convention is almost never followed by web developers, and browsers compensate for it by treating invalid HTML entities as literal `&`-containing strings.
365 | 
366 | ==Document Object Model==
367 | 
368 | As the web matured and the concept of client-side programming gained traction, the need arose for HTML document to be programatically accessible and modifiable on the fly in response to user actions. One technology, [http://www.w3.org/DOM/DOMTR Document Object Model] (also referred to as "dynamic HTML"), emerged as the prevailing method for accomplishing this task.
369 | 
370 | In the context of web browsers, Document Object Model is simply an object-based representation of HTML document layout, and by a natural extension much of the browser internals, in a hierarchical structure with various read and write properties, and callable methods. To illustrate, to access the value of the first `<INPUT>` tag in a document through DOM, the following Java<b></b>Script code could be used:
371 | 
372 | {{{
373 | document.getElementsByTagName('INPUT')[0].value
374 | }}}
375 | 
376 | Document Object Model also permits third-party documents to be referenced, subject to certain security checks discussed [http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access later on]; for example, the following code accesses the `<INPUT>` tag in the second `<IFRAME>` on a current page:
377 | 
378 | {{{
379 | document.getElementsByTagName('IFRAME')[1].contentDocument.getElementsByTagName('INPUT')[0].value
380 | }}}
381 | 
382 | DOM object hierarchy - as seen by programmers - begins with an implicit "root" object, sometimes named `defaultView` or `global`; all the scripts running on a page have `defaultView` as their default scope. This root object has the following members:
383 | 
384 |   * Various properties and methods relating to current document-specific window or frame ([http://www.w3schools.com/HTMLDOM/dom_obj_window.asp reference]). Properties include window dimensions, status bar text, references to parent, top-level, and owner (opener) `defaultView` objects. Methods permit scripts to resize, move, change focus, or decor of current windows, display certain UI widgets, or - oddly enough - set up Java<b></b>Script timers to execute code after a certain "idle" interval.
385 | 
386 |   * All the current script's global variables and functions.
387 | 
388 |   * `defaultView.document` ([http://www.w3schools.com/HTMLDOM/dom_obj_document.asp reference]) - a top-level object for the actual, proper _document_ object model. This hierarchy represents all of the document elements, along with their specific methods and properties, and document-wide object lookup functions (e.g., `getElementById`, `getElementsByTagName`, etc). An assortment of browser-specific, proprietary APIs is usually present on top of the common functionality (e.g., [http://msdn.microsoft.com/en-us/library/ms533049%28VS.85%29.aspx document.execCommand] in Internet Explorer).
389 | 
390 |   * `defaultView.location` ([http://www.w3schools.com/HTMLDOM/dom_obj_location.asp reference]) - a simple object describing document's current location, both as an unparsed string, and split into parsed segments; provides methods and property setters that allow scripts to navigate away to other sites.
391 | 
392 |   * `defaultView.history` ([http://www.w3schools.com/HTMLDOM/dom_obj_history.asp reference]) - another simple object offering three methods to enable pages to navigate back to previously visited pages.
393 | 
394 |   * `defaultView.screen` ([http://www.w3schools.com/HTMLDOM/dom_obj_screen.asp reference]) - yet another modestly sized object with a bunch of mostly read-only properties describing properties of the current display device, including pixel and DPI resolution, and so forth.
395 | 
396 |   * `defaultView.navigator` ([http://www.w3schools.com/HTMLDOM/dom_obj_navigator.asp reference]) - an object containing read-only properties such as browser make and version, operating platform, or plugin configuration.
397 | 
398 |   * `defaultView.window` - a self-referential entry that points back to the root object; this is the name by which the `defaultView` object is most commonly known. In general, `screen`, `navigator`, and `window` DOM hierarchies combined usually contain enough information to very accurately fingerprint any given machine.
399 | 
400 | With the exception of cross-domain, cross-document access permissions outlined in later chapters, the operation of DOM bears relatively little significance to site security. It is, however, worth noting that DOM methods are wrappers providing access to highly implementation-specific internal data structures that may or may not obey the usual rules of Java<b></b>Script language, may haphazardly switch between bounded and ASCIZ string representations, and so forth. Because of this, multiple seemingly inexplicable oddities and quirks plague DOM data structures in every browsers - and some of these may interfere with client-side security mechanisms. Several such quirks are documented below:
401 | 
402 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
403 | || <font color="#3050a0">Is `window` the same object as `window.window`?</font> || <font color="#ff0000">NO</font> || <font color="#ff0000">NO</font> || <font color="#ff0000">NO</font> || YES || YES || YES || YES || YES || YES ||
404 | || <font color="#3050a0">Is `document.URL` writable?</font> || NO || YES || YES || NO || NO || NO || NO || NO || NO ||
405 | || <font color="#3050a0">Can builtin DOM objects be clobbered?</font> || <font color="#ff0000">overwrite</font> || <font color="#ff0000">overwrite</font> ||<font color="#ff0000">overwrite</font> || shadowing || shadowing || shadowing || <font color="#ff0000">overwrite</font> || <font color="#ff0000">overwrite</font> || shadowing ||
406 | || <font color="#3050a0">Does `getElementsByName` look up by `ID=` values as well?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || <font color="#ff0000">YES</font> || NO || NO ||
407 | || <font color="#3050a0">Are `.innerHTML` assignments truncated at `NUL`?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO || <font color="#ff0000">YES</font> || NO || NO ||
408 | || <font color="#3050a0">Are `location.*` assignments truncated at `NUL`?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO ||
409 | 
410 | _Trivia: traversing `document.*` is a possible approach to look up specific input or output fields when modifying complex pages from within scripts, but it is not a very practical one; because of this, most scripts resort to `document.getElementById()` method to uniquely identify elements regardless of their current location on the page. Although `ID=` parameters for tags within HTML documents are expected to be unique, there is no such guarantee. Currently, all major browsers seem to give the first occurrence a priority._
411 | 
412 | ==Browser-side Javascript==
413 | 
414 | [http://en.wikipedia.org/wiki/Javascript JavaScript] is a relatively simple but rich, object-based imperative scripting language tightly integrated with HTML, and supported by all contemporary web browsers. Authors claim that the language has roots with [http://en.wikipedia.org/wiki/Scheme_(programming_language) Scheme] and [http://en.wikipedia.org/wiki/Self_(programming_language) Self] programming languages, although it is often characterized in a more down-to-earth way as resembling a crossover of [http://en.wikipedia.org/wiki/C++ C/C++] and [http://en.wikipedia.org/wiki/Visual_Basic Visual Basic]. Confusingly, except for the common C syntax, it shares relatively few unique features with [http://en.wikipedia.org/wiki/Java_(programming_language) Java]; the naming is simply a marketing gimmick devised by Netscape and Sun in the 90s.
415 | 
416 | The language is a creation of Netscape engineers, originally marketed under the name of Mocha, then Livescript, and finally rebranded to Java<b></b>Script; Microsoft embraced the concept shortly thereafter, under the name of JScript. The language, as usual with web technologies, got standardized only post factum, under a yet another name - ECMAScript. Additional, sometimes overlapping efforts to bring new features and extensions of the language - for example, [http://wiki.ecmascript.org/doku.php ECMAScript 4], [http://developer.mozilla.org/Special:Tags?tag=JavaScript_version_overviews&language=en JavaScript versions 1.6-1.8], [http://developer.mozilla.org/En/E4X native XML objects], etc - are taking place, although none of these concepts managed to win broad acceptance and following.
417 | 
418 | Browser-side Java<b></b>Script is invoked from within HTML documents in four primary ways: 
419 | 
420 |   # Standalone `<SCRIPT>` tags that enclose code blocks,<p />
421 |   # Event handlers tied to HTML tags (e.g. `onmouseover="..."`),<p />
422 |   # Stylesheet `expression(...)` blocks that permit Java<b></b>Script syntax in some browsers,<p />
423 |   # Special URL schemes specified as targets for certain resources or actions (`javascript:...`) - in HTML and in stylesheets.
424 | 
425 | Note that the first option does not always work when such a string is dynamically added by running Java<b></b>Script to an existing document. That said, any of the remaining options might be used as a comparable substitute.
426 | 
427 | Regardless of their source (`<SCRIPT SRC="...">`), remote scripts always execute in the security context of the document they are attached to. Once called, Java<b></b>Script has full access to the current DOM, and limited access to DOMs of other windows; it may also further invoke new Java<b></b>Script by calling `eval()`, configuring timers (`setTimeout(...)` and `setInterval(...)`), or producing Java<b></b>Script-invoking HTML. Java<b></b>Script may also configure self to launch when its objects are interacted with by third-party Java<b></b>Script code, by configuring watches, setters, or getters, or cross contexts by calling same-origin functions belonging to other documents.
428 | 
429 | Java<b></b>Script enjoys very limited input and output capabilities. Interacting with same-origin document data and drawing [http://developer.mozilla.org/en/Canvas_tutorial CANVASes], displaying `window.*` pop-up dialogs, and writing script console errors aside, there are relatively few I/O facilities available. File operations or access to other persistent storage is generally not possible, although some [https://developer.mozilla.org/en/DOM/Storage experimental features] are being introduced and quickly scrapped. Scripts may send and receive data from the originating server using the [http://www.w3.org/TR/XMLHttpRequest/ XMLHttpRequest] extension, which permits scripts to send and read arbitrary payloads; and may also automatically send requests and read back properly formatted responses by issuing `<SCRIPT SRC="...">`, or `<LINK REL="Stylesheet" HREF="...">`, even across domains. Lastly, Java<b></b>Script may send information to third-party servers by spawning objects such as `<IMG>`, `<IFRAME>`, `<OBJECT>`, `<APPLET>`, or by triggering page transitions, and encoding information in the URL that would be automatically requested by the browser immediately thereafter - but it may not read back the returned data. Some side channels related to browser caching mechanisms and lax DOM security checks also exist, providing additional side channels between cooperating parties.
430 | 
431 | Some of the other security-relevant characteristics of Java<b></b>Script environments in modern browsers include:
432 | 
433 |   * *Dynamic, runtime code interpretation with no strict code caching rules*. Any code snippets located in-line with HTML tags would be interpreted and executed, and Java<b></b>Script itself has a possibility to either directly evaluate strings as Java<b></b>Script code (`eval(...)`), or to produce new HTML that in turn may contain more Java<b></b>Script (`.innerHTML` and `.outerHTML` properties, `document.write()`, event handlers). The behavior of code that attempts to modify own container while executing (through DOM) is not well-defined, and varies between browsers.
434 | 
435 |   * *Somewhat inconsistent exception support*. Although within the language itself, exception-throwing conditions are well defined, it is not so when interacting with DOM structures. Depending on the circumstances, some DOM operations may fail silently (with writes or reads ignored), return various magic responses (`undefined`, `null`, `object inaccessible`), throw a non-standardized exception, or even abort execution unconditionally.
436 | 
437 |   * *Somewhat inconsistent, but modifiable builtins and prototypes*. The behavior of many language constructs might be redefined by programs within the current context by modifying object setters, getters, or overwriting prototypes. Because of this, reliance on any specific code - for example a security check - executing in a predictable manner in the vicinity of a potentially malicious payload is risky. Notably, however, not all builtin objects may be trivially tampered with - for example, `Array` prototype setters may be modifiable, but `XML` not so. There is no fully-fledged operator overloading in Java<b></b>Script 1.x.
438 | 
439 |   * *Typically synchronous execution*. Within a single document, browser-side Java<b></b>Script usually executes synchronously and in a single thread, and asynchronous timer events are not permitted to fire until the scripting engine enters idle state. No strict guarantees of synchronous execution exist, however, and multi-process rendering of Chrome or MSIE8 may permit cross-domain access to occur more asynchronously.
440 | 
441 |   * *Global function lookups not dependent on ordering or execution flow*. Functions may be invoked in a block of code before they are defined, and are indexed in a pass prior to execution. Because of this, reliance on top-level no-return statements such as `while (1);` to prevent subsequent code from being interpreted might be risky.
442 | 
443 |   * *Endless loops that terminate*. As a security feature, when the script executes for too long, the user is prompted to abort execution. This merely causes current execution to be stopped, but does not prevent scripts from being re-entered.
444 | 
445 |   * *Broad, quickly evolving syntax*. For example, E4X extensions in Firefox [http://code.google.com/p/doctype/wiki/ArticleE4XSecurity well-structured XHTML or XML to be interpreted] as a Java<b></b>Script object, also executing any nested Java<b></b>Script initializers within such a block. This makes it very difficult to assume that a particular format of data would not constitute valid Java<b></b>Script syntax in a future-proof manner.
446 | 
447 | Inline script blocks embedded within HTML are somewhat tricky to sanitize if permitted to contain user-controlled strings, because, much like `<TEXTAREA>`, `<STYLE>`, and several other HTML tags, they follow a counterintuitive CDATA-style parsing: a literal sequence of `</SCRIPT>` ends the script block regardless of its location within the Java<b></b>Script syntax as such. For example, the following code block would be ended prematurely, and lead to unauthorized, additional Java<b></b>Script block being executed:
448 | 
449 | {{{
450 | <SCRIPT>
451 | var user_string = 'Hello world</SCRIPT><SCRIPT>alert(1)</SCRIPT>';
452 | </SCRIPT>
453 | }}}
454 | 
455 | Strictly speaking, HTML4 standard specifies that any `</...` sequence may be used to break out of non-HTML blocks such as `<SCRIPT>` ([http://www.w3.org/TR/html4/appendix/notes.html#notes-specifying-data reference]); in practice, this suit is not followed by browsers, and a literal `</SCRIPT>` string is required instead. This property is not necessarily safe to rely on, however.
456 | 
457 | Various differences between browser implementations are outlined below:
458 | 
459 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
460 | || <font color="#3050a0">Is setter and getter support present?</font> || NO || NO || NO || YES || YES || YES || YES || YES || YES ||
461 | || <font color="#3050a0">Is access to prototypes via `__proto__` possible?</font> || NO || NO || NO || YES || YES || YES || NO || YES || YES ||
462 | || <font color="#3050a0">Is it possible to alias `eval()` function? || YES || YES || YES || PARTLY || PARTLY || YES || PARTLY || YES || YES ||
463 | || <font color="#3050a0">Are watches on objects supported?</font> || NO || NO || NO || YES || YES || NO || NO || NO || NO ||
464 | || <font color="#3050a0">May currently executing code blocks modify self?</font> || read-only || read-only || read-only || NO || NO || NO || YES || NO || NO ||
465 | || <font color="#3050a0">Is E4X extension supported?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO ||
466 | || <font color="#3050a0">Is `charset=` honored on `<SCRIPT SRC="...">`?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> ||
467 | || <font color="#3050a0">Do Unicode newlines (U+2028, U+2029) break lines in Java<b></b>Script?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> ||
468 | 
469 | _Trivia: Java<b></b>Script programs can programatically initiate or intercept a variety of events, such as mouse and keyboard input within a window. This can interfere with other security mechanisms, such as "protected" `<INPUT TYPE=FILE ...>` fields, or non-same-origin HTML frames, and little or no consideration was given to these interactions at design time, resulting in a number of implementation problems in modern browsers._
470 | 
471 | ===Javascript character encoding===
472 | 
473 | To permit handling of strings that otherwise contain restricted literal text (such as `</SCRIPT>`, `"`, `'`, `CL` or `LF`, other non-printable characters), Java<b></b>Script offers five character encoding strategies:
474 | 
475 |   # Three-digit, zero-padded, 8-bit octal numerical representations, C-style (`"test"` →  `"t\145st"`),<p />
476 |   # Two-digit, zero-padded, 8-bit hexadecimal numerical representations, with C-style `\x` prefix (`"test"` → `"t\x65st"`),<p />
477 |   # Four-digit, zero-padded, 16-bit hexadecimal numerical Unicode representations, with `\u` prefix (`"test"` → `"t\u0065st"`),<p />
478 |   # Raw `\` prefix before a literal (`"test"` → `"t\est"`),<p />
479 |   # Special C-style `\` shorthand notation for certain control characters (such as `\n` or `\t`).
480 | 
481 | The fourth scheme is most space-efficient, although generally error-prone; for example, a failure to escape `\` as `\\` may lead to a string of `\" + alert(1);"` being converted to `\\" + alert(1)`, and getting interpreted incorrectly; it also partly collides with the remaining `\`-prefixed escaping schemes, and is not compatible with C syntax.
482 | 
483 | The parsing of these schemes is uniform across all browsers if fewer than the expected number of input digits is seen: the value is interpreted correctly, and no subsequent text is consumed (`"\1test"` is accepted and becomes `"\001test"`).
484 | 
485 | HTML entity encoding has no special meaning within HTML-embedded `<SCRIPT>` blocks. 
486 | 
487 | Amusingly, although all the four aforementioned schemes are supported in Java<b></b>Script proper, a proposed informational standard for Java<b></b>Script Object Notation (JSON), a transport-oriented serialization scheme for Java<b></b>Script objects and arrays ([http://www.ietf.org/rfc/rfc4627.txt RFC 4627]), technically permits only the `\u` notation and a seemingly arbitrary subset of `\` control character shorthand codes (options 3 and 5 on the list above). In practice, since JSON objects are almost always simply passed to `eval(...)` in client-side Java<b></b>Script code to convert them back to native data structures, the limitation is not enforced in a vast majority of uses. Because of the advice provided in the RFC, some non-native `parseJSON` implementations (such as the [http://json.org/json2.js current example reference implementation] from [http://json.org json.org]) may not handle traditional `\x` escape codes properly, however. It is also not certain what approach would be followed by browsers in the currently discussed [http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/015078.html native, non-executing parsers] proposed for performance and security reasons.
488 | 
489 | Unlike in some C implementations, stray multi-line string literals are not permitted by Java<b></b>Script, but lone `\` at the end of a line may be used to break long lines in a seamless manner.
490 | 
491 | ==Other document scripting languages==
492 | 
493 | [http://msdn.microsoft.com/en-us/library/sx7b3k7y(VS.85).aspx VBScript] is a language envisioned by Microsoft as a general-purpose "hosted" scripting environment, incorporated within Windows as such, Microsoft IIS, and supported by Microsoft Internet Explorer via `vbscript:` URL scheme, and through `<SCRIPT>` tags. As far as client-side scripting is considered, the language did not seem to offer any significant advantages over the competing Java<b></b>Script technology, and appeared to lag in several areas.
494 | 
495 | Presumably because of this, the technology never won broad browser support outside MSIE (with all current versions being able to execute it), and is very seldom relied upon. Where permitted to go through, it should be expected to have roughly the same security consequences as Java<b></b>Script. The attack surface and security controls within VBScript are poorly studied in comparison to that alternative, however.
496 | 
497 | ==Cascading stylesheets==
498 | 
499 | As the initial HTML designs evolved to include a growing body of eye candy, the language ended up mixing very specific visual presentation cues with content classification directives; for example, a similar inline syntax would denote that the following piece of text is an element of a numbered list, or that it needs to be shown in 72 pt <font face="Comic Sans MS">Comic Sans</font> font. This notation, although convenient to use on new pages, made it very difficult to automatically adjust appearance of a document without altering its structure (for example to account for mobile devices, printable views, or accessibility requirements), or to accurately preserve document structure when moving the data to non-HTML media or new site layouts.
500 | 
501 | [http://www.w3.org/Style/CSS/ Cascading Style Sheets] is a simple concept that corrects this problem, and also provides a much more uniform and featured set of tools to alter the visual appearance of any portion of the document, far surpassing the original set of kludgy HTML tag attributes. A stylesheet outlines visual rendering rules for various functional types of document elements, such as lists, tables, links, or quotations, using a separate block of data with a relatively simple syntax. Although the idea of style sheets as such predates HTML, the current design used for the web stabilized in the form of W3C proposals only around 1998 - and because of the complex changes required to renderers, it took several years for reasonably robust implementations to become widespread. 
502 | 
503 | There are three distinct ways to place CSS directives in HTML documents: 
504 | 
505 |   # The use of an inline `STYLE="..."` parameter attached to HTML tags of any type; attributes specified this way apply to this and nested tags only (and largely defeat the purpose of the entire scheme when it comes to making it easy to alter the appearance of a document),<p />
506 |   # Introduction of a block of CSS code with `<STYLE>...</STYLE>` in any portion of the document. This block may change the default appearance of any tag, or define named rulesets that may be explicitly applied to specific tags with a `CLASS="..."` parameter,<p />
507 |   # Inclusion of a remote stylesheet with a <`LINK REL="stylesheet" HREF="...">`, with the same global effect as a `<STYLE>` block.
508 | 
509 | In the first two modes, the stylesheet generally inherits the character set of its host document, and is interpreted accordingly; in the last mode, character set might be derived from `Content-Type` headers, `@charset` directives, or auto-detected if all other options fail ([http://www.w3.org/TR/CSS2/syndata.html#charset reference]).
510 | 
511 | Because CSS provides a powerful and standardized method to control the visual appearance of a block of HTML, many applications strive to let third parties control a subset of CSS syntax emitted in documents. Unfortunately, the task is fairly tricky; the most important security consequences of attacker-controlled stylesheets are:
512 | 
513 |   * *The risk of Java<b></b>Script execution*. As a little-known feature, some CSS implementations permit Java<b></b>Script code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the `expression(...)` directive, which gives the ability to evaluate arbitrary Java<b></b>Script statements and use their value as a CSS parameter; by using the `url('javascript:...')` directive on properties that support it; or by invoking browser-specific features such as the [http://www.securiteam.com/securitynews/5LP051FHPE.html -moz-binding] mechanism of Firefox.
514 | 
515 |   * *The ability to freely position text*. If user-controlled stylesheets are permitted on a page, various powerful CSS positioning directives may be invoked to move text outside the bounds of its current container, and mimick trusted UI elements or approximate them very accurately. Some examples of absolute positioning directives include `z-index`, `margin`, `padding`, `bottom`, `left`, `position`, `right`, `top`, or `text-indent` (many of them with sub-variants, such as `margin-left`).
516 | 
517 |   * *The ability to reuse trusted classes*. If user-controlled `CLASS="..."` attributes are permitted in HTML syntax, the attacker may have luck "borrowing" a class used to render elements of the trusted UI and impersonate them.
518 | 
519 | Much like Java<b></b>Script, stylesheets are also tricky to sanitize, because they follow CDATA-style parsing: a literal sequence of `</STYLE>` ends the stylesheet regardless of its location within the CSS syntax as such. For example, the following stylesheet would be ended prematurely, and lead to Java<b></b>Script code being executed:
520 | 
521 | {{{
522 | <STYLE>
523 | body {
524 |   background-image: url('http://example.com/foo.jpg?</STYLE><SCRIPT>alert(1)</SCRIPT>');
525 | }
526 | </STYLE>
527 | }}}
528 | 
529 | Another interesting property specific to `<STYLE>` handling is that when two CDATA-like types overlap, no particular outcome is guaranteed; for example, the following may be interpreted as a script, or as an empty stylesheet, depending on the browser:
530 | 
531 | {{{
532 | <STYLE>
533 | <!-- </STYLE><SCRIPT>alert(1)</SCRIPT> -->
534 | </STYLE>
535 | }}}
536 | 
537 | Yet another characteristic that sets stylesheets apart from Java<b></b>Script is the fact that although CSS parser is very strict, a syntax error does not cause it to bail out completely. Instead, a recovery from the next top-level syntax element is attempted. This makes handling user-controlled strings even harder - for example, if a stray newline in user-supplied string is not properly escaped, it would actually permit the attacker to freely tinker with the stylesheet in most browsers:
538 | 
539 | {{{
540 | <STYLE>
541 | .example {
542 |   content: '*** USER STRING START ***
543 |   } .example { color: red; } .bar { *** USER STRING END ***';
544 | }
545 | </STYLE>
546 | 
547 | <SPAN CLASS="example">Hello world (in red)!</SPAN>
548 | }}}
549 | 
550 | Additional examples along these lines are explored in more detail on [http://centricle.com/ref/css/filters/ this page]. Several fundamental differences in style parsing between common browsers are outlined below:
551 | 
552 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
553 | || <font color="#3050a0">Is Java<b></b>Script `expression(...)` supported?</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO || NO || NO ||
554 | || <font color="#3050a0">Is script-targeted `url(...)` supported?</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO || NO || NO || NO || NO ||
555 | || <font color="#3050a0">Is script-executing `-moz-binding` supported?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || NO || NO || NO || NO || NO ||
556 | || <font color="#3050a0">Does `</STYLE>` take precedence over comment block parsing?</font> || NO || NO || NO || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || NO || NO || NO || NO ||
557 | || <font color="#3050a0">Characters permitted as CSS field-value separators (excluding `\t \r \n \x20`)</font> || \x0B \x0C \ \xA0 || \x0B \x0C \ \xA0 || \x0B \x0C \ \xA0 || \x0B \x0C \ || \x0C \ || \x0C \ || \x0C \ \xA0 || \x0C \ \xA0 || \x0C \ ||
558 | 
559 | <b></b>
560 | 
561 | ===CSS character encoding===
562 | 
563 | In many cases, as with Java<b></b>Script, there is a need for web applications to render certain user-supplied user-controlled strings within stylesheets in a safe manner. To handle various reserved characters, a method for escaping potentially troublesome values is required; confusingly, however, CSS format supports neither HTML entity encoding, nor any of the common methods of encoding characters seen in Java<b></b>Script. 
564 | 
565 | Instead, a rather unusual and incompatible scheme consisting of `\` followed by non-prefixed, variable length one- to six-digit hexadecimal is employed; for example, `"test"` may be encoded as `"t\65st"` or `"t\000065st"` - but not as `t\est"`, `"t\x65st"`, `"t\u0065st"`, nor `"t&#x65;st"` ([http://www.w3.org/TR/CSS21/syndata.html#escaped-characters reference]).
566 | 
567 | A very important and little-known oddity unique to CSS parsing is that escape sequences are also accepted outside strings, and confusingly, may substitute some syntax control characters in the stylesheet; so for example, `color: expression(alert(1))` and `color: expression\028 alert \028 1 \029 \029` have the same meaning. To add insult to injury, mixed syntax such as `color: expression( alert \029 1 ) \029` would not work.
568 | 
569 | With the exception of Internet Explorer, stray multi-line string literals are not supported; but a lone `\` at the end of a line may be used to seamlessly break long lines.
570 | 
571 | ==Other built-in document formats==
572 | 
573 | HTML aside, modern browser renderers usually natively support an additional set of media formats that may be displayed as standalone documents. These can be generally divided into two groups:
574 | 
575 |   * *Pure data formats.* These include plain text data or images (JPEG, GIF, BMP, etc), where the browser simply provides a basic rendering canvas and populates it with static data. In principle, no security consequences arise with these data types, as no malicious payloads may be embedded in the message - short of major and fairly rare implementation flaws. Common image formats aside, some browsers may also support other oddball or legacy media formats natively, such as the ability to play [http://en.wikipedia.org/wiki/Musical_Instrument_Digital_Interface MID] files specified by `<BGSOUND>` tags.
576 | 
577 |   * *Rich data formats.* This category is primarily populated by non-HTML XML namespace parsers ([http://www.w3.org/Graphics/SVG/ SVG], [http://www.rssboard.org/rss-specification RSS], [http://tools.ietf.org/html/rfc4287 Atom]); beyond raw data, these document formats contain various rendering instructions, hints, or conditionals. Because of how XML works, each of the XML-based formats has two important security consequences:<p />
578 |     * Firstly, nested XML namespaces may be defined, and are usually not verified against MIME type intents, permitting HTML to be embedded for example inside `image/svg+xml`.<p />
579 |     * Secondly, these formats may actually come with provisions for non-standard embedded HTML or Java<b></b>Script payloads or scripts built in, permitting HTML injection even if the attacker has no direct control over XML document structure.
580 | 
581 | One example of a document that, even if served as `image/svg+xml`, would still execute scripts in many current browsers despite MIME type clearly stating a different intent, is as follows:
582 | 
583 | {{{
584 | <?xml version="1.0"?>
585 | <container>
586 |   <svg xmlns="http://www.w3.org/2000/svg">
587 |     [...]
588 |   </svg>
589 |   <html xmlns="http://www.w3.org/1999/xhtml">
590 |     <script>alert('Hello world!')</script>
591 |   </html>
592 | </container>
593 | }}}
594 | 
595 | Furthermore, SVG natively permits [http://www.w3.org/TR/SVG/script.html embedded scripts] and event handlers; in all browsers that support SVG, these scripts execute when the image is loaded as a top-level document - but are ignored when rendered through `<IMG>` tags.
596 | 
597 | Some of the non-HTML builtin document type behaviors are documented below:
598 | 
599 | || <font color="#3050a0">*Test description*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
600 | || <font color="#3050a0">Supported bitmap formats (excluding JPG, GIF, PNG)</font> || BMP ICO WMF || BMP ICO WMF || BMP ICO WMF || BMP ICO TGA^*^ || BMP ICO TGA^*^ || BMP TIF || BMP^*^ || BMP ICO || BMP ICO ||
601 | || <font color="#3050a0">Is generic XML document support present?</font> || YES || YES || YES || YES || YES || YES || YES || YES || YES ||
602 | || <font color="#3050a0">Is RSS feed support present?</font> || NO || YES || YES || YES || YES || YES || YES || NO || NO ||
603 | || <font color="#3050a0">Is ATOM feed support present</font> || NO || YES || YES || YES || YES || YES || YES || NO || NO ||
604 | || <font color="#3050a0">Does Java<b></b>Script execute within feeds?</font> || <font color="#ff0000">(YES)</font> || NO || NO || NO || NO || NO || NO || <font color="#ff0000">(YES)</font> || <font color="#ff0000">(YES)</font> ||
605 | || <font color="#3050a0">Are `javascript:` or `data:` URLs permitted in feeds?</font> || <font color="#909090">n/a</font> || NO || NO || NO || NO || NO || NO || <font color="#909090">n/a</font> || <font color="#909090">n/a</font> ||
606 | || <font color="#3050a0">Are CSS specifications permitted in feeds?</font> || <font color="#909090">n/a</font> || NO || YES || YES || YES || NO || YES || <font color="#909090">n/a</font> || <font color="#909090">n/a</font> ||
607 | || <font color="#3050a0">Is SVG image support present?</font> || NO || NO || NO || YES || YES || YES || YES || YES || NO ||
608 | || <font color="#3050a0">May `image/svg+xml` document contain HTML `xmlns` payload?</font> || <font color="#ff0000">(YES)</font> || <font color="#ff0000">(YES)</font> || <font color="#ff0000">(YES)</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">YES</font> || <font color="#ff0000">(YES)</font> ||
609 | 
610 | ^*^ Format support limited, inconsistent, or broken.
611 | 
612 | _Trivia: curiously, Microsoft's XML-based [http://www.w3.org/TR/NOTE-VML.html Vector Markup Language] (VML) is not natively supported by the renderer, and rather implemented as a plugin; whereas Scalable Vector Graphics (SVG) is implemented as a core renderer component in all browsers that support it._
613 | 
614 | ==Plugin-supported content==
615 | 
616 | Unlike the lean and well-defined set of natively supported document formats, the landscape of browser plugins is extremely diverse, hairy, and evolving very quickly. Most of the common content-rendering plugins are invoked through the use of `<OBJECT>` or `<EMBED>` tags (or `<APPLET>`, for Java), but other types of integration may obviously take place. 
617 | 
618 | Common document-embeddable plugins can be generally divided into several primary categories:
619 | 
620 |   * *Web programming languages*. This includes technologies such as [http://en.wikipedia.org/wiki/Adobe_Flash Adobe Flash], [http://en.wikipedia.org/wiki/Java_programming_language multi-vendor Java], or [http://en.wikipedia.org/wiki/Silverlight Microsoft Silverlight], together present at a vast majority of desktop computers. These languages generally permit extensive scripting, including access to the top-level document and other DOM information, or the ability to send network requests to at least some locations. The security models implemented by these plugins generally diverge from the models of the browser itself in sometimes counterintuitive or underspecified ways (discussed in more detail [http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Flash later on]).<p />This property makes such web development technologies a major attack surface by themselves if used legitimately. It also creates a security risk whenever a desire to user content arises, as extra steps must be taken to make sure the data could never be accidentally interpreted as a valid input to any of the popular plugins.
621 | 
622 |   * *Drop-in integration for non-HTML document formats*. Some popular document editors or viewers, including [http://en.wikipedia.org/wiki/Adobe_Acrobat Acrobat Reader] and [http://en.wikipedia.org/wiki/Microsoft_Office Microsoft Office], add the ability to embed their supported document formats as objects on HTML pages, or to view content, full-window, directly within the browser. The interesting property of this mechanism is that many such document formats either feature scripting capabilities, or offer interactive features (e.g., clickable links) that may result in data passed back to the browser in unusual or unexpected ways. For example, methods exist to navigate browser's window to `javascript:` URLs from PDF documents served inline - and this code will execute in the security context of the hosting domain.
623 | 
624 |   * *Specialized HTML-integrated markup languages*. In addition to kludgy drop-in integration for document formats very different from HTML, specialized markup languages such as [http://en.wikipedia.org/wiki/VRML VRML], [http://www.w3.org/TR/NOTE-VML.html VML], or [http://en.wikipedia.org/wiki/MathML MathML], are also supported in some browsers through plugins, and meant to discretely supplement regular HTML documents; these may enable HTML smuggling vectors similar to those of renderer-handled XML formats (see previous section).
625 | 
626 |   * *Rich multimedia formats*. A variety of plugins brings the ability to play video and audio clips directly within the browser, without opening a new media player window. Plugin-driven browser integration is offered by almost all contemporary media players, including [http://en.wikipedia.org/wiki/Windows_Media_Player Windows Media Player], [http://en.wikipedia.org/wiki/QuickTime QuickTime], [http://en.wikipedia.org/wiki/RealPlayer RealPlayer], or [http://en.wikipedia.org/wiki/VLC VLC], again making it a widely available capability. Most of such formats bear no immediate security consequences for the hosting party per se, although in practice, this type of integration is plagued by implementation-specific bugs.
627 | 
628 |   * *Specialized data manipulation widgets*. This includes features such as DHTML ActiveX editing gizmos (`2D360201-FFF5-11D1-8D03-00A0C959BC0A`). Some such plugins ship with Windows and are marked as safe despite receiving very little security scrutiny.<p />_Trivia: there is reportedly a sizeable and generally underresearched market of [http://blog.mozilla.com/gen/2007/02/27/the-cost-of-monoculture/ plugin-based crypto] clients implemented as ActiveX controls in certain Asian countries._
629 | 
630 | One of the more important security properties of object-embedding tags is that like with many of their counterparts intended for embedding other non-HTML content, no particular attention is guaranteed to paid to server-supplied `Content-Type` and `Content-Disposition` headers, despite the fact that many embedded objects may in fact execute in a security context related to the domain that served them. 
631 | 
632 | The precedence of inputs for deciding how to interpret the content in various browsers is as follows:
633 | 
634 | || <font color="#3050a0">*Input signal*</font> || <font color="#3050a0">*MSIE6*</font> || <font color="#3050a0">*MSIE7*</font> || <font color="#3050a0">*MSIE8*</font> || <font color="#3050a0">*FF2*</font> || <font color="#3050a0">*FF3*</font> || <font color="#3050a0">*Safari*</font> || <font color="#3050a0">*Opera*</font> || <font color="#3050a0">*Chrome*</font> || <font color="#3050a0">*Android*</font> ||
635 | || <font color="#3050a0">Tag type and `TYPE=` / `CLASSID=` values</font> || #1 || #1 || #1 || #1 || #1 || #1 || #1 || #1 || <font color="#909090">n/a</font> ||
636 | || <font color="#3050a0">`Content-Type` value if `TYPE=` is not recognized</font> || ignored || ignored || ignored || ignored || ignored || ignored || ignored || ignored || <font color="#909090">n/a</font> ||
637 | || <font color="#3050a0">`Content-Type=`value if `TYPE=` is missing</font> || #2 || #2 || #2 || #2 || #2 || #2 || #2 || #2 || <font color="#909090">n/a</font> ||
638 | || <font color="#3050a0">Content sniffing if `TYPE=` is not recognized</font> || ignored || ignored || ignored || ignored || ignored || ignored || ignored || ignored || <font color="#909090">n/a</font> ||
639 | || <font color="#3050a0">Content sniffing if `TYPE=` is missing</font> || ignored || ignored || ignored || ignored || ignored || (#3) || ignored || (#3) || <font color="#909090">n/a</font> ||
640 | 
641 | The approach to determining how to handle the data with no attention to the intent indicated by the hosting server is a problematic design concept, as it makes it impossible for servers to opt out from having any particular resource being treated as a plugin-interpreted document in response to actions of a malicious third-party site. In conjunction with lax syntax parsers within browser plugins, this resulted in a number of long-standing vulnerabilities, such as valid Java archive files (JARs) [http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html doubling as valid images]; or, more recently, [http://skeptikal.org/2009/11/when-flash-attacks.html Flash applets] doing the same.
642 | 
643 | _NOTE: Unfortunately, as of today, the embedding party is also not in complete control of how a plugin-handled document will be displayed. See [http://lcamtuf.blogspot.com/2011/03/warning-object-and-embed-are-inherently.html this article] for more._
644 | 
645 | Another interesting property worth noting here is that many plugins have their own HTTP stacks and caching systems, which makes them a good way to circumvent browser's privacy settings; Metasploit maintains an [http://decloak.net example site] illustrating the problem.
646 | 
647 | _([http://code.google.com/p/browsersec/wiki/Part2 Continue to browser security features...])_


--------------------------------------------------------------------------------