Chrome Apes IE8, Adds Clickjacking, XSS Defenses

CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"

Thanks

[iamapizza]

Thanks for adding the security features to Chrome, developers at Google. That is all.

Re:

[iamapizza]

Would I have been so forgiving if it were IE that were late with their security additions?

Re:

[RobertM1968]

Would I have been so forgiving if it were IE that were late with their security additions?

I dunno... though I also dont know if this security addition works in IE8 either... ;-)

Re:

[Jurily]

I read it as "Chrome Apes, IE8 Adds Clickjacking"...

Re:

[sakdoctor]

I hope this new Chrome security works on the clickjacking on google's own SERPs.

Re:

[GameboyRMH]

Hahahaha! (the clickjacking happens when running searches while logged into a Google account).

Chrome Apes? Moronic Monkies?

[syousef]

Anyone else getting flashbacks from Planet of the Apes?

Is that the new code name for the next version of Chrome? Ubuntu Panhandling Panda, now featuring Chrome Apes! Download now! Steve Balmer your Monkey Boy days are numbered, so dance while you can, it's the year of the Google Desktop.

Re:

[Velska1]

Believe me, it's used frequently enough for any fluent speaker in conversations, let alone native speakers. It's an old one, besides, I found it in a dictionary from the 1950s.

Re:Chrome Apes? Moronic Monkies?

[jez9999]

I'm a native English speaker and it seems like a bizarre, stupid usage of the word to me. But then, Slashdot headline have always had trouble making sense.

Re:

[cheesewire]

The kids aped the apes, the apes aped the kids. The kids went ape.

Re:

[thetoadwarrior]

This is purely a guess and probably full of shit but I would assume it comes from the fact that monkeys and apes will often mimic humans and their movements so it makes perfect sense.

Re:

[VON-MAN]

I'm no native English speaker but I know it's an normal English word. However, I've never heard someone use it when revering to software. And it sounds really derogatory. So yes, it's a weird use of the word.

Re:

[DMUTPeregrine]

Some monkeys & apes are known to imitate others. Thus, to "ape" someone/thing is to imitate it. It's not derogatory or a particularly odd use, just less common now than it used to be.

Re:

[VON-MAN]

"Some monkeys & apes are known to imitate others."
"to "ape" someone/thing is to imitate it"

Thanks yes. I always thought that to be common knowledge.
However, "ape" & "imitate" in google gives me a link to "www.thefreedictionary.com" where "to ape" is defined as "To mimic slavishly but often with an absurd result."

And that's exactly what I was trying to say earlier: it's a pretty negative way of describing behavior. But then to use it in the context of software? Ridiculous! Software doesn't ape,

Re:

[thetoadwarrior]

It's mainly because English is being dumbed down and internet is a breeding ground for dumb English so you aren't very likely to hear decent English. Hell, even I could afford to read everything before I press submit.

Re:

[thetoadwarrior]

http://www.google.co.uk/search?q=define%3A+ape [google.co.uk]

# any of various primates with short tails or no tail at all
# imitate uncritically and in every aspect; "Her little brother apes her behavior"
# copycat: someone who copies the words or behavior of another
# caricature: represent in or produce a caricature of; "The drawing caricatured the President"
# anthropoid: person who resembles a nonhuman primate

You can thank me for the free English lesson later.

Re:

[syousef]

What is wrong with people? I made a joke, and they assume I don't understand the context? WTF?

Re:

[Lillebo]

Probably because most "developers" are clueless script kiddies to begin with.

Re:

[Runaway1956]

I've had that thought a time or two, but never voiced it. Why don't we run a poll, and find out how many developers actually develop anything, and how many just tie scripts together, like the guy at the circus who makes dogs and horses out of balloons. It could get interesting!

Re:

[Goaway]

just imagine how many developers will be baffled by this behavior

Imagining...

Done. Zero developers were baffled.

Imagining complete.

Re:

[MemoryDragon]

Hehe I am pretty sure this feature is disabled if you fetch the Google build of those scripts from the cloud...
(

Re:

[Goaway]

It does not affect that in any way whatosever.

Re:

[WiFiBro]

I assume (danger!) that they are only looking for XSS in the GET, POST and COOKIE input.

Cross-site scripting

[commlinx]

Recently I starting doing a bit of web development after being out of the loop for a while. I was working on a project and it was convenient to have the XHTML / JS running on my development machine while doing a few AJAX calls to my development server. After it failed at first I found I could add Access-Control-Allow-Origin: * to the HTTP header to allow cross-site access.

It made we wonder if you wanted to exploit cross-site vulnerabilities couldn't you setup a proxy in the middle that returned information from the original site but added that to the header? Anyway just got me wondering and maybe someone more knowledgeable could comment on it.

Re:Cross-site scripting

[NNKK]

At that point you're already a man in the middle and can send whatever you want to the browser, why on earth would you need to exploit XSS vulnerabilities?

Re:

[icepick72]

Maybe men in the middle have a particular fetish for that kind of attack.

Re:

[MrCoke]

Because you want to do something "useful" instead of just snooping?

Re:

[Quantumstate]

No you are missing the point. The man in the middle can modify stuff going through so they just change the page itself rather than trying to use fancy XSS attacks.

Re:Cross-site scripting

[TorKlingberg]

If you are going to use Access-Control-Allow-Origin you should probably be aware that it is very new, and many browsers out there do not support it. Firefox added it in version 3.5.

Moderation abuse 101

[WiiVault]

Off topic? The summary is pure troll.

Re:Stay classy /.

[1s44c]

I hope the submitter realized that the only reason MS even bothered with any of this is thanks to them getting an ass pounding over the last few years for not giving a shit about security. Your welcome MS drones.

MS have never got the 'ass pounding' their security record has earned. If the security problems they cause cost them just 1% of what they cost their customers they would be bankrupt fairly quickly.

Software is weird, where else would you not be responsible for the faults in the products you sell?

Re:

[Anonymous Coward]

Because if you were, you probably wouldn't be able to purchase the software as it'd be seriously more expansive than it is today.

Re:

[Kevin Stevens]

Your house is seriously insecure, even if you have a steel door and have window panes are made of bullet-proof glass, you probably live in a stick frame building where a drill and a sawz-all can gain me access to the interior in an hour or two. Yet no one seems to get excited about the insecurity of our houses.

When our houses get robbed, we recognize that the wrongdoing is being done by the criminal. Yet when our computers are hacked, we place the wrongdoing on the provider of the software.

I have never real

Re:

[mister_playboy]

Breaking into a house requires the criminal to be at the house physically and people understand that. Breaking into a computer can take place from virtually anywhere and that seems much more abstract. Since most people don't understand exactly what happened to allow the criminal access, they place the blame with someone who they assume does understand, the software manufacturer.

If a little kid gets hurt and you try to comfort them, they often get angry at you, at least briefly. Same basic idea.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[10101001 10101001]

Your house is seriously insecure, even if you have a steel door and have window panes are made of bullet-proof glass, you probably live in a stick frame building where a drill and a sawz-all can gain me access to the interior in an hour or two. Yet no one seems to get excited about the insecurity of our houses.

In large part because, as you point out, it's impossible to make a house physically secure (although security guards can hypothetically do a good job). Similarly, it's impossible to make a computer p

Re:

[forgottenusername]

Locking your front door and window is merely a deterrent to your fairly normal, average civilized person. It's illusionary security, a social construct that says "hey, this is private, keep out". Same thing with passwords on accounts and firewalls.

Software is held to lofty standards because people don't understand it and blindly have faith in OS vendors, AV vendors etc to magically keep them safe. So when those software companies fail to protect them from threats they don't even really understand they get a

Chrome Apes IE8, Adds Clickjacking, XSS

[SharpFang]

Defenses

I like how Slashdot renders that headline.

Dumb article

[Undead Waffle]

Oh my god Chrome is copying IE by supporting for the http header X-Frame-Options that Microsoft wants web developers to start using. Don't they know you're supposed to invent your own browser-specific variation of what your opponent implements?

I also like how they mention Chrome added 5 security features but they only cover the 2 that are already in IE.

It's nice that all of the browsers are adding security features but can we cover one of them without focusing on who did what first?

Re:Dumb article

[Robert Zenz]

Google copies Microsoft. Google is showing no imagination. First their own OS, Browser and now security features that MS originally put in their browser.

I didn't knew that MS invented operating systems and browsers, and when you write your own that you're copying from MS.

Re:

[psetzer]

I'm going to savor the day when there's an article about this awesome new feature in the Linux kernel that uses hardware encryption to verify the integrity of loaded kernel modules and prevent rootkits.

Re:

[the_B0fh]

doesn't tivo already do this?

Protection on other browsers

[pmontra]

This post [hackademix.net] of NoScript's author Giorgio Maone dates back to one year ago and goes into the details of X-Frame-Options. His point seems to be that if you have JavaScript enabled, there are well-known ways [wikipedia.org] to achieve the same result, unless you use IE (they can be circumvented). If you don't have JS enabled, NoScript on Firefox is already giving you the same degree of protection. Anyway (this is me) adding that level of protection by default on all browsers looks a nice thing to have.

Ads

[1s44c]

If Chrome can't block ads it's not ready for the internet. It doesn't matter what else it does and doesn't do, blocking stupid flashing graphics is the main function of web browsers these days.

Re:

[StripedCow]

Chrome is open-source, right? Anybody else could add this to Chrome.

Adblock works fine in Chrome

[brunes69]

I have Adblock and a ton of other extensions working just fine in Chrome. Just use the testing / developer streams which have plugin support.

Re:

[Ranzear]

You're easily a month behind on this. https://chrome.google.com/extensions [slashdot.org]

Re:Ads

[mister_playboy]

For users familiar with the ad-blocking in Firefox or Opera, Chrome's ad-blocking extensions are terrible in comparison. They don't render the ad, but they still waste bandwidth downloading it, negating half of their value.

Chromium doesn't include a provision for real element blocking, so this issue would have to be dealt with in the browser itself, not just in the extensions.

Re:

[W3bbo]

Some 'adblocker detection' services may flag your client if they see you've downloaded the page, but not the associated ad content, so they know your browser isn't displaying the ad, but if the client does download it they have no way of knowing if it's being rendered or not, short of using a DOM-inspection script. With the exception of Flash video adverts, I've never had any bandwidth problems with banners, except for those off-site advert scripts that delay the page loading.

Re:

[badkarmadayaccount]

Do they follow the transfer through? Or can you stop it at the first byte?

Re:

[yuhong]

Yep, I remember this article on Slashdot about it:
http://tech.slashdot.org/story/09/12/17/1436257/Google-Says-Ad-Blockers-Will-Save-Online-Ads [slashdot.org]
Also, note that part of why Larry and Sergey chose to use text ads for Google is that they found banner and pop-up ads annoying.

Re:

[Goaway]

Well, then, I guess that means Chrome is ready for the internet, huh.

Re:

[JThundley]

Here's how I block flash: Never install it in the first place.

It's foolproof and works on all sites!

What's the need for all this security stuff...

[Hurricane78]

...when Google goes ahead, tracks your every move, and sells it to the same crooks anyway?

(Not trolling here. As far as I heard, Google does track everything. And as far as I know, Google does sell that information to advertisers as its main business. Finally, as far as I know, those advertisers include all those spamming crooks and their friends.)

Re:

[StripedCow]

And as far as I know, Google does sell that information to advertisers as its main business

Not so sure about that... in their privacy statement, they say that they inform advertisers only about the number of times their ads were clicked (that is, in total, thus no information about individual clicks is released).

Re:

[couchslug]

"...when Google goes ahead, tracks your every move, "

https://addons.mozilla.org/en-US/firefox/addon/3173 [mozilla.org]

Re:What's the need for all this security stuff...

[Anonymous Coward]

Add .google-analytics. to your AdblockPlus rules. Then install the Better Privacy extension. Finally, remove all existing cookies from Google and make sure that in future the permissions are set to 'Block'. Done, Google is not tracking you anymore.

(I work at Google, hence posting as AC.)

Mod parent up please, very informative!

[e2d2]

Mod parent up please, very informative!

Re:

[badkarmadayaccount]

Better - EasyList+EasyElement (USA), EasyPrivacy+Cederics Liste, Malware Domains subscriptions. Though Some sites - not only porn sites - mange to get passed that. I'm stumped why.

Re:

[thetoadwarrior]

I'm glad no one else is tracking me and that Bing doesn't use the same tactics. If you don't like being tracked then you should attack everyone rather than just the guy on top who will just end up being replaced by someone doing the same exact thing.

Re:

[rgo]

Take it easy gramps... they're making it easier for us to share interesting things in other networks. If you don't wanna share, then don't click the icons.

It's not like they are showing tweets with the comments...

Re:

[mister_playboy]

It's not like they are showing tweets with the comments...

Please don't give them any ideas!

Re:

[Antiocheian]

You think that my problem is clicking the icons ? These are adblocked. You think if you wanted to share interesting things in other networks you couldn't greasemonkey them yourself ? Of course not.

It's that they facilitate people who wish to share "interesting things" on gossip networks that bugs me.

Does it install in 'program files', on Windows?

[Midnight Thunder]

Can anyone tell me whether it finally installs in 'program files', on Windows XP? I haven't been able to find a way with the previous versions, and this is my only hurdle to installing it on my work PC due to the anti-virus rules.

No thanks, no more Chrome for me.

[cheros]

I stopped using Chrome. It comes from a supplier that sees privacy as a problem, and I don't feel I have enough control over what it does with the information it gains from my surfing - that's also why I don't use Google DNS. I also have no idea how to switch the "referrer" information off (in FF that's quite easy).

So, personally I don't give a damn what Chrome (or any other Google app) does. I prefer FF, even when I switch to OSX later this year (yes, I'm switching control freaks :-))..

That's good, but work on usability too please

[Daetrin]

Improving security is great, but they really need to keep working on usability as well! I just installed Chrome for the first time yesterday and have been playing around with it. It seems pretty speedy but the UI is a bit weird.

The lack of a title bar seems kind of weird. I don't know what they were going for with that, but it's the only window on my entire machine and it stands out, and not in a good way. At one point i tried adding a new tab while waiting for visual studio to start a debug session, and

Re:

[Daetrin]

I should have put the "A couple minor aesthetic gripes. I may eventually get used to [them]" part at the top of the paragraph talking about aesthetic stuff, that was bad editing on my part and confused things, sorry.

I agree with you that they can't fix the aesthetics to please everyone. I'm hoping that changes like that will be something that's easy to implement in extensions later.

The part i'm more concerned about is the usability issues i talked about further down, particularly in regard to tabs. Like

Chrome 4?

[anexkahn]

By this time next year we will be on Chrome Version 17!