Greetings. On Wed, 21 Nov 2012 11:23:08 +0100 Sam Watkins <s...@nipl.net> wrote: > On 11-20 08:08, Andrew Hills wrote: > > Would it be possible to disable requests made by the page to any > > address outside the page's domain? > > This is a worthwhile option for the browser. > > It can block many ads, and also block cross-site request forgery exploits. > > CSRF exploits take advantage of a major security hole in HTTP / > web browser implementation, and can sometimes work without scripting - > a static page can damage intranet / local web services using just a whole lot > of img tags or similar, such as <img src="192.168.1.1/delete_stuff?id=1234">. > Home routers are vulnerable to these attacks, leads to DNS poisoning, etc. > > A page with javascript can also make post requests to local services, > I guess this works even in surf.
Cross‐side scripting is already a backwards compatibility to Google, like Windows is the backward compatibility to the proprietary world. But yes, it would be a nice toggle for surf, to turn off by default any cross‐side loading and then turn it on when needed. Any volunteers? I can’t stand that GTK abomination. Sincerely, Christoph Lohmann
