Modern solutions against cross-site attacks
NB: This is the text/html version of my talk from the German OWASP Day 2024 in Leipzig earlier this month. If you prefer, there is also a video from the event.
This article is about cross-site leak attacks and what recent defenses have been introduced to counter them. I also want to finally answer the question why web security best practices is always opt-in and finally how YOU can get increased security controls.
"When considering changes to legacy features or behavior... ... the benefit of the proposed change should be weighed against the likely cost of breaking content [...] In some cases, it may be desirable to make a nonstandard feature or behavior part of the conforming language, if it satisfies a valid use case."
So, in essence, this means that it should be avoided or at least be very hard to remove APIs from the web, once they have been widely used.
A great example is for this is XML·Http·Request (or XHR): The first iteration of this API started with Microsoft building a proprietary feature into IE 5 to dynamically make HTTP requests. It became widely used and other browsers defined a standard around it - retroactively in 2006. I'm sure many readers have heard of or used XMLHttpRequest. Though I bet very few of you actually use it for XML. And, we actually have a better function. Remember what that one's called? Yep, fetch. Can you guess how long we've had fetch()? Almost 10 years. And browsers are still supporting XHR - they likely will keep doing so forever.
