Archive for September 2006
The URL http://<script> contains characters that are not valid in the location they are found.
- The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.
This is the first time I’ve seen anything like this. Now while it may not in itself be a security feature, it could certainly go in that direction. If it also dealt with encoded chevrons (< as %3C) then it could be a large jump forward in the fight against XSS, specifically reflected vectors.
I have posted on a few various Web Browser community boards
with hopes to get attention to this suggestion. I doubt it will be implemented soon.
But with XSS being the top risk lately, it’s slightly comforting to know we might have
at least some defense.
I’ll update my non-existant readers on the status of the message board threads.