Chrome Apes IE8, Adds Clickjacking, XSS Defenses

CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"

Protection on other browsers

[pmontra]

This post [hackademix.net] of NoScript's author Giorgio Maone dates back to one year ago and goes into the details of X-Frame-Options. His point seems to be that if you have JavaScript enabled, there are well-known ways [wikipedia.org] to achieve the same result, unless you use IE (they can be circumvented). If you don't have JS enabled, NoScript on Firefox is already giving you the same degree of protection. Anyway (this is me) adding that level of protection by default on all browsers looks a nice thing to have.

Adblock works fine in Chrome

[brunes69]

I have Adblock and a ton of other extensions working just fine in Chrome. Just use the testing / developer streams which have plugin support.

Re:Ads

[Ranzear]

You're easily a month behind on this. https://chrome.google.com/extensions [slashdot.org]

Re:Cross-site scripting

[TorKlingberg]

If you are going to use Access-Control-Allow-Origin you should probably be aware that it is very new, and many browsers out there do not support it. Firefox added it in version 3.5.

Re:Ads

[mister_playboy]

For users familiar with the ad-blocking in Firefox or Opera, Chrome's ad-blocking extensions are terrible in comparison. They don't render the ad, but they still waste bandwidth downloading it, negating half of their value.

Chromium doesn't include a provision for real element blocking, so this issue would have to be dealt with in the browser itself, not just in the extensions.

Re:What's the need for all this security stuff...

[Anonymous Coward]

Add .google-analytics. to your AdblockPlus rules. Then install the Better Privacy extension. Finally, remove all existing cookies from Google and make sure that in future the permissions are set to 'Block'. Done, Google is not tracking you anymore.

(I work at Google, hence posting as AC.)