Browser Scope Has Merged With Aussie Hosting
On Jan 21st of 2020, BrowerScope has joined forces with Aussie Hosting. Browserscope is a community-driven project for profiling web browsers. The goals are to foster innovation by tracking browser functionality and to be a resource for web developers.
Unfortunately as of late 2019 BrowserScope was unable to pay for the increasing server costs of their tool being used by thousands of daily users. Nathan Finch of Aussie Hosting offered to maintain the domain and upgrade the the set of browser tools available.
The original functionality of Browser Scope as an open source tool for profiling web browsers has been expanded to also provide a quite of additional tools including:
- Browser security testing
- CSS versions
- Browser compatibility
- Version checks
- 3rd party tracking settings
Nathan has also added a robust set of security testing parameters to the original project. Detailed below:
What are the Security Tests?
Checks whether the browser natively supports the JSON.parse API. Native JSON parsing is safer than using eval.
Checks whether the browser supports the toStaticHTML API for sanitizing untrusted inputs.
Checks whether the browser supports the httpOnly cookie attribute, which is a mitigation for cross-site scripting attacks.
Checks whether the browser supports the X-Frame-Options API, which prevents clickjacking attacks by restricting how pages may be framed.
Checks whether the browser supports the X-Content-Type-Options API, which prevents MIME sniffing.
Block reflected XSS
Block location spoofing
Block JSON hijacking
Documents encoded in JSON format can be read across domains if the browser supports a mutable Array constructor that is called when array literals are encountered. JSON hijacking is also possible if the browser supports a mutable setter function for the Object prototype that is called when object literals are encountered.
Block XSS in CSS
Script in stylesheets can be used by attackers to evade server-side XSS filters. Support for CSS expressions has been discontinued in IE8 standards mode and XBL in stylesheets has been restricted to same-origin code in separate files in Firefox. We check to make sure that script injected into a site via stylesheet does not execute.
Checks whether the browser supports the sandbox attribute, which enables a set of extra restrictions on any content hosted by the iframe.
Checks whether the browser supports the Origin header, which is a mitigation for cross-site request forgery (CSRF) attacks.
Strict Transport Security
Checks whether the browser supports Strict Transport Security, which enables web sites to declare themselves accessible only via secure connections.
Block cross-origin CSS attacks
Cross Origin Resource Sharing
Checks whether the browser supports the APIs for making cross origin requests.
Block visited link sniffing
Most browsers display visited links with a :visited CSS pseudo class. A user's browsing history can be sniffed by testing the visited links by checking this CSS class. We test whether browsers restrict access to the :visited pseudo class.
Content Security Policy
Checks whether the browser supports Content Security Policy, which reduces the XSS attack surfaces for websites that wish to opt-in.