It is a common practice to connect to ad-servers by different pages (though this is very unlikely on a bank's site). But e-commerce sites do have links to ad servers (doubleclick et al). In such a case it would be difficult for the browser to completely block accesses to other sites.
A way around could be to check for the outbound https:// and warning / prompting / blocking the connection. This way the user can be directed towards the impending danger.
I think solution 2 could be a plausible solution. This would of course would require the different browser vendors to adhere to the tags (read- difficult to expect to work on all the browsers). Though there can be a start on it.
The meta tag being generated for the valid_sites can also have (apart from others) timeout values, key strenghts etc. so that any spoofing / m-i-m attacks can be thwarted.
Just the thoughts that occured at this instant. ----- Copyright (c) by Gangadhar NPK, 2004
Anders Hedstr�m wrote:
Here's an idea I came up with, when reading about html injection scams... The page can be viewed at http://www.alhem.net/valid_sites/
Proposal for a HTML security enhancement (a.k.a no more phishing) The problem is phishing scams. Evil HTML code is injected in valid pages, making them look legitimate. With this proposal, webmasters and companies would be able to increase the security of their web sites.
Solution one
The browser will only enable connections to sites listed in the current html document, such as links to other pages, images and forms.
This should only be applied to html code directly from the originating web server. Code generated by javascript is not to be trusted, even if the script itself comes from the correct server.
Solution two
The webmaster can include a list of valid site in the header of the html document, thereby telling the browser which sites are valid to connect. This adds a bit more work to keep a site updated.
Perhaps by adding a new <meta... tag in the <head> section of a page:
<meta name="valid-sites" content="www.alhem.net,213.199.75.18">If the user tries to follow a link to a site that is not on this list, a warning will be displayed and the request cancelled. External resources and html forms linking to other sites than the approved list must be ignored.
---------------------------------------------------------------------------- ---- Page, code, and content Copyright (C) 2004 by Anders Hedstr�m
_______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
