Browser security
What is the same origin policy?
The same origin policy, which is a famous security policy proposed by Netscape. This strategy is now used by daOs in all javascript-enabled browsers. Same name means same domain name, same protocol, same port. When two tabs of a browser are opened respectively to baidu and Google pages. When the baidu TAB page of the browser executes a script, it checks which page the script belongs to. That is, check whether the same origin, only the script and Baidu will be executed. If it is non-same-origin, the browser raises an exception in the console to deny access when the data is requested.
Functions of the same Origin policy:
The browser’s same-origin policy restricts files or scripts from different sources from reading or setting certain properties on the current file. Browsers came up with the concept of “Origin” to prevent browser page behavior from getting messy and objects from different sources from interfering with each other. When a TAB with a “SRC” attribute needs to be loaded across sites, the browser issues a GET request. When a TAB with a “SRC” attribute needs to be loaded across sites, the browser issues a GET request. Browsers restrict their JS permissions so that they cannot read or write the returned content. If XMLHttpRequest is able to access resources across domains, sensitive data can be compromised, resulting in security issues. XMLHttpRequest Cross-domain access standard: Authorizes permission through the HTTP header returned by the target domain. Schema security basics: JS cannot control HTTP headers. Browser Sandbox: The purpose of the Sandbox is to restrict untrusted code from accessing resources outside the quarantine area in order to allow untrusted code to run in an environment. Emmmmm, kind of like COVID-19 quarantine hahahahaha.
Google Chrome’s Sandbox architecture
The most obvious benefit of the multi-process architecture is that in the event of a browser crash, the multi-process browser will only crash the current Tab page, with no impact on other pages
Malicious URL blocking
To be in “black list” malicious web site interception. Common malicious websites: one is the horse website (such websites usually contain malicious scripts such as JS or Flash, which execute shellcode by exploiting browser vulnerabilities and implant Trojan horses in computers); Another category of phishing sites (which trick users by mimicking similar pages from well-known sites).
Mainstream browsers are beginning to support EV SSL certificates to enhance the identification of secure websites.
The rapid development of browser security
Today, browsers are still being updated. The XSS Filter feature introduced by Microsoft in Internet Explorer 8 can modify the key words in the script of XSS attack, make it invalid, and pop up a prompt box for users.
To use CSP, insert an HTTP return header:
X – Content – Security – Policy: the Policy
The description of policy is flexible, for example:
X-Content-Security-Policy:allow ‘self’ *.mydomain.com
The browser will then trust content from mydomain.com and its subdomains. With the development of browsers, customers’ browsing experience is getting better and better. However, many seemingly “friendly” functions may lead to some security risks. For example, many browser address bars will deal with malformed URLS, and www.google.com\ ABC will be recognized as normal www.google.com/abc
If such “friendly” features are exploited by hackers, they could be used to bypass some security software or modules.