 |
 |
 |
 |
 |
Information about your favorite browser: news, articles and more.
Internet Explorer 7 RSS Security
Published September 11th, 2006 in All Categories, Internet Explorer, Internet Explorer 7, Security
Shortly after the SPI Dynamics presentation that sparked a renewed discussion on feed security in 
the community last month, James Snell developed a suite of tests (based on an earlier set by James Holderness), and generously made them available quietly to aggregator developers. He has now made the tests public.
I contacted James last month (via email as he requested) and he pointed me to the test suite, so we could test them against our own security mitigations. We have done full test passes using his test suite.
The result: IE7 passed all of the tests (which means that no script from the feeds executed successfully in IE, and that developers using the RSS platform would not have been vulnerable to the class of attacks in the tests). This confirms SPI Dynamic’s findings that IE7 was not vulnerable to the attacks described in their paper.
I thought it might be useful to use this opportunity to talk about our commitment to security, the defense-in-depth strategy that we have taken, and how other aggregator developers might benefit from the work we have done. Microsoft Team RSS Blog : More on Feed Security
