Do a test here (http://www.browserscope.org/security/test).

It's a "suite of security tests that measure whether the browser supports JavaScript APIs that allow safe interactions between sites, and whether it follows industry best practices for blocking harmful interactions between sites".
Security - What are the Security Tests? - Browserscope (http://www.browserscope.org/security/about)

You can then compare your results with those of the main browsers.



http://image.bayimg.com/oaapjaadi.jpg

You can see the good results FF gets. Chrome 8 seems the safest of all, but it's only in assuming that you can be safe in the middle of Google's tentacles. Anyway as usual FF can easily get better: It seems FF 4 beta6 with noscript "scripts globally allowed" enabled has a higher score than Chrome 8.




http://image.bayimg.com/jaapmaadi.jpg

You can contemplate here the weak score 10.63 Opera's browser gets. IE8 itself seems even better. Poor Opera users are really living in an insecure world....:tongue:




NB: Some trolls-like sentences are included in this thread. Will you able to find them ?

My score:

PASS postMessage API
PASS JSON.parse API
FAIL toStaticHTML API
PASS httpOnly cookie API
PASS X-Frame-Options
FAIL X-Content-Type-Options
FAIL Block reflected XSS
PASS Block location spoofing
PASS Block JSON hijacking
PASS Block XSS in CSS
FAIL Sandbox attribute
FAIL Origin header
FAIL Strict Transport Security
PASS Block cross-origin CSS attacks
FAIL Content Security Policy
FAIL Cross Origin Resource Sharing
PASS Block visited link sniffing


Can't comment on the troll-like sentences. :wsmile:

Is there any browser that passes all the checks?

1. PASS postMessage API
2. PASS JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. FAIL Block visited link sniffing

Here is my result of the test


1. PASS postMessage API
2. PASS JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. FAIL Block visited link sniffing

---------- Post added at 12:34 ---------- Previous post was at 12:33 ----------

Pretty much the same as TheDeathless results.

1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. FAIL Block visited link sniffing

13/17, as expected for firefox

I'm using FireFox on Ubuntu 10.10 with all updates.

firefox version 3.6 (9/17) vs. 3.6.12 (13/17), let me guess: you haven't restarted it recently ;)

My version is 3.6.12 how is possible our result are different ?

i also use Adblock Plus & NoScript add-ons, maybe thats the reason why

Also I use adblock plus. No I will try NoScript (Is also made in italy :D) and post my result.

---------- Post added at 21:15 ---------- Previous post was at 21:12 ----------

1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. FAIL Block visited link sniffing

13/17

I guess mine's a little bit better now. Thanks slik for the comment suggesting that No Script might be the detail involved.


1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. FAIL Block visited link sniffing

I guess I now have the same results as yourselves. :)

1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing

14/17
_____

---------- Post added at 00:21 ---------- Previous post was at 00:20 ----------

ff, latest stable.

17. PASS Block visited link sniffing

tokio, how did you manage to get this as a pass and we got ours as a fail??

1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. FAIL httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing


also the test requires js which i have disabled by default normally

1. FAIL postMessage API
2. FAIL JSON.parse API
3. FAIL toStaticHTML API
4. FAIL httpOnly cookie API
5. FAIL X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. FAIL Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. FAIL Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. FAIL Cross Origin Resource Sharing
17. FAIL Block visited link sniffing


I'm using FireFox 1.5.0.4

I'm using FireFox 1.5.0.4

You're using a very old piece of software last updated in mid-2006. It's time to upgrade.

Netscape's results:



1. FAIL postMessage API
2. FAIL JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. FAIL X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. FAIL Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. FAIL Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. FAIL Cross Origin Resource Sharing
17. FAIL Block visited link sniffing

You're using a very old piece of software last updated in mid-2006. It's time to upgrade.

Well, there was many addons working with this version but after your advice I've upgraded to 3.6.12. So Results are:



1. PASS postMessage API
2. PASS JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. FAIL Block visited link sniffing

Well, there was many addons working with this version

You can edit the XPI file so that they'll accept the new Firefox version, and possibly, work.

Well, there was many addons working with this version but after your advice I've upgraded to 3.6.12. So Results are:

With your addons ?

Maybe it would be interesting to do the test with a new FF profile, without any addons.

also the test requires js which i have disabled by default normally

what about all those javascript heavy sites now-a-days? you just dont visit them or...?

He probably enables JavaScript on a whitelist-like basis. Just like I do with both JS itself (NotScripts for Opera) as well as Flash.

A blacklist i would understand. A whitelist however is too much work imho.

A whitelist however is too much work imho.

Not quite, once you've browsed enough and added all the broken sites to it. :wsmile:

Using latest ff stable for windows:


1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. FAIL httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing

1.PASS postMessage API
2.PASS JSON.parse API
3.FAIL toStaticHTML API
4.PASS httpOnly cookie API
5.PASS X-Frame-Options
6.FAIL X-Content-Type-Options
7.PASS Block reflected XSS
8.PASS Block location spoofing
9.PASS Block JSON hijacking
10.PASS Block XSS in CSS
11.FAIL Sandbox attribute
12.FAIL Origin header
13.FAIL Strict Transport Security
14.PASS Block cross-origin CSS attacks
15.FAIL Content Security Policy
16.FAIL Cross Origin Resource Sharing
17.FAIL Block visited link sniffing

Opera 11 Result. Passed at [9/17]

Evilmill, I'm using Opera 11 too, and I'm passing points 6 and 17, whereas you do not?

The last one sounds like related to referers, which you can easily turn off via F12 -> Send Referrer Information. That's a good idea to prevent sites you visit from knowing where you've been, actually.

1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing

why not people not write browser version and OS for their testes ? :frown:

ff 3.6.13 xp sp3 :tongue:

Any idea to fix 11 & 12 & 15 (need to be more secure) ?!!

what about all those javascript heavy sites now-a-days? you just dont visit them or...?


He probably enables JavaScript on a whitelist-like basis. Just like I do with both JS itself (NotScripts for Opera) as well as Flash.


A blacklist i would understand. A whitelist however is too much work imho.

noscript dös a great job. all off by default and if i feel that a site dösn't work as it should i can enable it with one click. either temp. or perm.
but i rarely use multimedia stuff and those mentioned fat sites are so much nicer and faster without js :D

here is my test---->FF 3.6.13--->Win 7 32bit


1. PASS postMessage API
2. PASS JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing

7 FAILS :(

but i rarely use multimedia stuff and those mentioned fat sites are so much nicer and faster without js :D

Not that it's a fat site but the new TL is quite broken without JavaScript. So are a bunch of other sites. Sometimes it may not be possible but webmasters should always provide a version of their site that works without scripting support (instead of a semi-unusable document) when it is. :dabs:

Evilmill, I'm using Opera 11 too, and I'm passing points 6 and 17, whereas you do not?

The last one sounds like related to referers, which you can easily turn off via F12 -> Send Referrer Information. That's a good idea to prevent sites you visit from knowing where you've been, actually.

still the same... i did off the send referrer information.