A Single-Site Browser's impact on XSS, CSRF, and Clickjacking

https://blog.whitehatsec.com/a-single-site-browsers-impact-on-xss-csrf-and-clickjacking/

 

Very interesting!
Isn't it possible to convert a regular browser into a "single-site browser"? For example, one could make a filter using AdBlock Plus to block everything and then add an exception for the site(s) one wants to allow?

Edit: from the link, "Practically no one in the marketplace offers SSBs, you have to build them yourself. "

 

You already can achieve this in Chromium (I think it was introduced back in Google Chrome as well.).

Example:

"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com"

In the above example, you'd be mapping everything to 127.0.0.1 (loopback), except google.com and any sub-domain. You could also map to -www.google.com, and in this case you'd only be able to connect to -www.google.com, but not any sub-domains.

I've been running my Chromium profiles to access my e-mail accounts, Youtube and others this way for a long time now.

To add more domains, you'd use a comma separated list.

--host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com","MAP * 127.0.0.1, EXCLUDE *.wilderssecurity.com"

####

From the explanation:

Source: -http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc

 

Also very interesting
Did you encounter a time when it wasn't working?

 

Yes, I have. I was the one reporting it*. After a while, they reintroduced it back. It's too valuable to kill it, IMHO.

* It wasn't a bug. They had deliberately killed the --host-rules flag, before I reported it.

 

Yes, they claimed it was a dev thing only and that later some extension or the other would provide the facility. The nice thing about Chromium/Chrome is the number of switches available. Firefox has very few.

 

Firefox has way more - about:config is huge and you can create keys of your own. Chrome only has like... maybe 50-100 active flags, most of which don't do much.

 

Is about:config a command-line switch? Is it?

 

Well you got me there lol

 

There's also one other way to have Site-specific in Google Chrome, by going to Wrench - Tools - Create Application Shortcuts.

I find the --host-rules flag a more elegant way, as you still retain the full browser (settings and all that). I suppose people always have different preferences, though.

 

I went back to the link referenced by Dermot7 in the first post. There's a comment linking to a pdf file (from Oct 2011 and co-authored by at least one Google heavyweight) that makes very difficult reading.

The file is titled "App Isolation: Get the Security of Multiple Browsers with Just One". I wonder if things are more complicated than they appear

 

smart

 

Of course... lol

 

Some more background reading:
"App Isolation: Get the Security of Multiple Browsers with Just One" >>> link to pdf file -http://research.google.com/pubs/archive/37198.pdf-
BTW, one of the authors, CR, is "an active ultimate frisbee player".