On 11-20 08:08, Andrew Hills wrote: > Would it be possible to disable requests made by the page to any > address outside the page's domain?
This is a worthwhile option for the browser. It can block many ads, and also block cross-site request forgery exploits. CSRF exploits take advantage of a major security hole in HTTP / web browser implementation, and can sometimes work without scripting - a static page can damage intranet / local web services using just a whole lot of img tags or similar, such as <img src="192.168.1.1/delete_stuff?id=1234">. Home routers are vulnerable to these attacks, leads to DNS poisoning, etc. A page with javascript can also make post requests to local services, I guess this works even in surf. I posted about CSRF, sanity level may vary: http://sswam.com/2012/03/16/not-secure-will-fail-how-to-stop-csrf-cross-site-request-forgery/ http://sswam.com/2012/03/21/not-secure-will-fail-how-to-stop-csrf-cross-site-request-forgery-tldr-edition/ (and yes, I know I am using sucky blog software.)
