Browser Security Policies Documented And Compared

I have often wondered about this kind of thing.  Browsers implement all kinds of “policies” that are largely implemented as undocumented logic in code – probably in response to a security bug.  Never before that I’m aware of has such a great documentation of considerations for client-side security for browsers been documented.

I’ve read through the whole thing and it is fascinating reading.  I hope the browser vendors look at this and start a war for who’s going to have a more secure browser!

Main - browsersec - Google Code - Browser Security Handbook landing page

This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.