There are five new security features, according to Adam Barth, a software engineer working on Chromium, the open source project that forms the basis for the Google Chrome web browser. One of the most innovative features was first proposed in a research paper two years ago. Strict-Transport-Security lets a website tell the browser that it wants to be contacted using Secure Sockets Layer (SSL), meaning that the browser will always begin an HTTPS session with the site, and will treat any certificate errors as hard stops, ending the session.
"In addition to being in Google Chrome 4, Strict-Transport-Security has also been implemented in NoScript, a security add-on for Firefox, and a native implementation is underway in Firefox," Barth pointed out. "A number of high-security websites have already started to use the feature, including PayPal."
X-Frame-Options is another security feature that will help to prevent clickjacking attacks in which a hidden element is positioned under the user's cursor, causing a covert action to be performed when the user clicks the mouse button. The feature lets a web developer request that a page not be loaded inside a frame.
The internet browser will also support several security features to be found in HTML 5, the as-yet unratified successor to HTML 4. A postMessage API, which is a new feature in HTML 5, lets developers use iFRAME tags to include gadgets on their websites, while giving them the functionality that they would normally enjoy when using scripts to take advantage of the gadgets.
Another HTML 5 security feature now supported from within Chromium is the Origin header, which protects the browser against cross-site request forgery (CSRF) attacks. CSRF occurs when a malicious web page persuades a browser to submit an HTTP request to another, legitimate site, getting it to perform an action. Origin enables the legitimate website to recognize where the request came from, and therefore decide more intelligently whether it should fulfil the request.
Finally, reflective cross-site scripting attacks can be mitigated using a filter added into the browser that checks to see whether a script that is about to run on a web page was also included in the request for that web page. "If the script is present in the request, that's a strong indication that the web server might have been tricked into reflecting the script," Barth said.
Many of these security features are already present in some form in the other major browsers. Internet Explorer 8 has a XSS filter, for example, and it supports postMessage and X-Frame-Options, along with Safari 4.