What's new? | Help | Directory | Sign in
Updated Today (2 hours ago) by lcamtuf
Labels: Featured
Browser Security Handbook landing page

Browser Security Handbook

Table of Contents


Hello, and welcome to the Browser Security Handbook!

This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.

The current version of this document is based on the following versions of web browsers:

Browser Version Test date Usage* Notes
Microsoft Internet Explorer 6 6.0.2900.5512 Nov 18, 2008 23%
Microsoft Internet Explorer 7 7.0.5730.11 Dec 11, 2008 47%
Microsoft Internet Explorer 8 (beta) n/a Not tested - pending release.
Mozilla Firefox 2 Nov 28, 2008 5%
Mozilla Firefox 3 3.0.3 Nov 18, 2008 15%
Apple Safari 3.2 Nov 18, 2008 5%
Opera 9.62 Nov 18, 2008 ~1%
Google Chrome Dec 11, 2008 ~1%
Android embedded browser SDK 1.0 RC1 Nov 10, 2008 n/a

* Approximate browser usage data based on public Net Applications estimates for October 2008.

Disclaimers and typographical conventions

Please note that although we tried to make this document as accurate as possible, some errors might have slipped through. Use this document only as an initial reference, and independently verify any characteristics you wish to depend upon. Test cases for properties featured in this document are freely available for download.

The document attempts to capture the risks and security considerations present for general populace of users accessing the web with default browser settings in place. Although occasionally noted, the degree of flexibility offered through non-standard settings is by itself not a subject of this comparative study.

Through the document, red color is used to bring attention to browser properties that seem particularly tricky or unexpected, and need to be carefully accounted for in server-side implementations. Whenever status quo appears to bear no significant security consequences and is well-understood, but a particular browser implementation takes additional steps to protect application developers, we use green color to denote this, likewise. Rest assured, neither of these color codes implies that a particular browser is less or more secure than its counterparts.


Browser Security Handbook would not be possible without the ideas and assistance from the following contributors:

The document builds on years of previous security research by Adam Barth, Collin Jackson, Amit Klein, Jesse Ruderman, and many other security experts who painstakingly dissected browser internals for the past few years.

(Continue to basic concepts behind web browsers...)