Browser bugs vs. attacks on same origin policy

Dafydd Stuttard | 15 August 2007 at 06:06 UTC
browser security

A bar-room conversation with a colleague at Black Hat led me to think about this question, and here are my thoughts, for what they're worth.

Today's browsers are full of Oday, particularly in the processing of images and other media, and in plug-ins like ActiveX controls. At the same time, a thriving area of current research is focused on attacks against the browser same origin policy, involving JSON hijacking, DNS rebinding, other workarounds and logic flaws. Which of these areas is more worthy of our attention?

Here are two polarised (and somewhat caricatured) opinions:

Of these two positions, the second is the easiest to shoot down. Aside from a narrow subset of browser bugs, no defences in the application can protect against a compromised browser. If an attacker can execute arbitrary machine-level code within a user's browser, then they completely own that user's interaction with any web application.

Does that mean we must accept the first position? There are several reasons why not: