In a blog post that has garnered a lot of attention, Brian Mastenbrook discusses a cross site scripting issue that was enabled by Ruby On Rails and initially found on Twitter. Blog post title: “How I cross-site scripted Twitter in 15 minutes, and why you shouldn't store important data on 37signals' applications”.
I’m not pointing fingers, because Microsoft has been bitten by IIS issues in the past, and most of these issues today would be prevented with mature coding practices, i.e. developers ultimately enable these issues in the presentation layer. Yes, the tools and servers can help, but it’s sometimes tough to secure everything that the application developer can leave vulnerable. I have not looked into this story in detail either. However, some good news did come out, and most other bloggers out there are not picking up on this little tidbit:
Brian said: “One surprise I discovered during the process was that IE8 includes a Cross Site Scripting filter which effectively blocked this attack. I'm very impressed with the effort that Microsoft's taken to mitigate one of the most common web application security issues. Every other browser vendor needs to add this functionality yesterday.”
This goes right at the heart of one of our IE8 themes:
Glad to hear additional good news about our browser.