You're using a very old piece of software last updated in mid-2006. It's time to upgrade.
Printable View
Netscape's results:
Quote:
1. FAIL postMessage API
2. FAIL JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. FAIL X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. FAIL Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. FAIL Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. FAIL Cross Origin Resource Sharing
17. FAIL Block visited link sniffing
Well, there was many addons working with this version but after your advice I've upgraded to 3.6.12. So Results are:
Quote:
1. PASS postMessage API
2. PASS JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. FAIL Block visited link sniffing
He probably enables JavaScript on a whitelist-like basis. Just like I do with both JS itself (NotScripts for Opera) as well as Flash.
A blacklist i would understand. A whitelist however is too much work imho.
Using latest ff stable for windows:
Quote:
1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. FAIL httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing
Opera 11 Result. Passed at [9/17]Code:1.PASS postMessage API
2.PASS JSON.parse API
3.FAIL toStaticHTML API
4.PASS httpOnly cookie API
5.PASS X-Frame-Options
6.FAIL X-Content-Type-Options
7.PASS Block reflected XSS
8.PASS Block location spoofing
9.PASS Block JSON hijacking
10.PASS Block XSS in CSS
11.FAIL Sandbox attribute
12.FAIL Origin header
13.FAIL Strict Transport Security
14.PASS Block cross-origin CSS attacks
15.FAIL Content Security Policy
16.FAIL Cross Origin Resource Sharing
17.FAIL Block visited link sniffing
Evilmill, I'm using Opera 11 too, and I'm passing points 6 and 17, whereas you do not?
The last one sounds like related to referers, which you can easily turn off via F12 -> Send Referrer Information. That's a good idea to prevent sites you visit from knowing where you've been, actually.
why not people not write browser version and OS for their testes ? :frown:Code:
1. PASS postMessage API
2. PASS JSON.parse API
3. PASS toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. PASS Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing
ff 3.6.13 xp sp3 :tongue:
Any idea to fix 11 & 12 & 15 (need to be more secure) ?!!
noscript dös a great job. all off by default and if i feel that a site dösn't work as it should i can enable it with one click. either temp. or perm.
but i rarely use multimedia stuff and those mentioned fat sites are so much nicer and faster without js :D
here is my test---->FF 3.6.13--->Win 7 32bit
7 FAILS :(Code:1. PASS postMessage API
2. PASS JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. FAIL X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. FAIL Strict Transport Security
14. PASS Block cross-origin CSS attacks
15. FAIL Content Security Policy
16. PASS Cross Origin Resource Sharing
17. PASS Block visited link sniffing