RETURN $ecure;

Security, Technology and Life

Other browsers expanding on Opera weirdness

with one comment

rsnake recently made a post regarding some weirdness I found in Opera. Opera gives an error message when unencoded html is inserted into the address bar.

The URL http://<script&gt; contains characters that are not valid in the location they are found.

  • The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.

This is the first time I’ve seen anything like this. Now while it may not in itself be a security feature, it could certainly go in that direction. If it also dealt with encoded chevrons (< as %3C) then it could be a large jump forward in the fight against XSS, specifically reflected vectors.
I have posted on a few various Web Browser community boards
with hopes to get attention to this suggestion. I doubt it will be implemented soon.
But with XSS being the top risk lately, it’s slightly comforting to know we might have
at least some defense.

I’ll update my non-existant readers on the status of the message board threads.

Advertisements

Written by Rodney G

09/22/2006 at 12:32 am

Posted in Uncategorized

Tagged with ,

One Response

Subscribe to comments with RSS.

  1. I'm having a problem installing Opera 9.02 on FC5.
    Every time I try to run it, it comes back with a “unable to find software information” error.
    When I try to run it from the command line, I get 6 conflict errors.
    I must add that I already have Opera 8.54 but I close it down before I try and run it.

    Joe

    12/1/2006 at 5:56 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: