Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards

As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so.


This weekend we just had yet another post about people picking bad passwords. The only real way around this problem is a password manager. For a long time, browsers included features to allow you to save passwords. But historically, these features were not liked very well as they tended to protect the password inadequately. But with the number of leaked passwords going up and up, and browser makers feeling more confident about their built in password safe features, some browsers started to ignore this setting. For example recent versions of Chrome and Safari will offer saving your password no matter if the "autocomplete=off" attribute is set or not.

BTW: You may still need to keep your autocomplete=off attribute in your forms to pass the PCI audit. After all, in this case you are not defending against hackers but against auditors and the attribute still works great to fend of auditor questions.

In the end, this means it is up to the user to decide to enable or disable this feature, and what password safe to use. Personally I don't think you can do without a password safe. But some people still think they can remember > 100 random passwords/passphrases. (I am having a hard time with one or two).

Cookie2 Headers

"nobody" ever really used the Cookie2 header. It was supposed to address privacy concerns people had with regular cookies. Cookies set via the Cookie2 header are essentially session cookies. They can not be set "cross domain" and they expire as soon as you close the browser. But that was back in the day when people still considered privacy as something attainable. RFC 6265 officially obsoletes Cookie2 back in 2011. I guess nobody noticed (me neither) because nobody uses it.

URL Bars

Another "good old days" feature of many browsers was URL bars. They are slowly disappearing. The simple reason is that most users (no... you are not "most users" as you are reading this post) have no idea what a URL is or how to decipher it. It all started with mobile browsers who pushed the URL off the screen as soon as possible to save the few mega pixels it would take to render the URL bar. I think it was Internet Explorer 8 where I first noticed that the URL bar got squished into a corner in order to provide more space for the search bar. Google now is tying to make this change more official by only showing the hostname, not the full URL, in recent beta releases of Chrome. The idea here is that the hostname is what matters and the other parts of the URL are usually just used by phishers to confuse the user as to the actual location of the page.

Anything I missed? Not looking for brand new features like HTTP/2.0 but for old features that no longer work in new browsers and are somewhat security related. I may add a couple more items to this post or as a comment as I remember them.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4476 Posts
ISC Handler
May 6th 2014
Interesting note about Autocomplete. In fact, Microsoft has officially removed support for it in IE11 ( "As of Internet Explorer 11, the autocomplete property is no longer supported for input type=password fields."
So the behavior is always-on now?

BTW, do you have a specific reference for your PCI crack? If you're right then it would seem that you can't be PCI compliant using IE11+
Larry Seltzer

26 Posts
IE 11 (like Safari and others) always allows the user to store the data. I don't think that would affect PCI compliance per se as the compliance verifies the web application, not the browser the user uses. I can see where an auditor may request a certain configuration for browsers used to access the site from the company that is being examined (the merchants computers, not the customer computers).

The PCI reference I have seen is section 3.2 that requires that some data can not be stored. The OWASP E-Commerce Payments guide mentions autocomplete in that context (…) . The automcomplete part applies to the credit card and cvv2 number in this context. I don't think the PCI standard would require it for the password, but it is possible that it can be interpreted that way.

Personally, I was never a big fan of the requirement as there is still no HTML tag that prevents users from writing passwords on post-its, and as I mentioned above, how else are you going to remember them?

4476 Posts
ISC Handler
If you work for a government, defending against auditors is often more important than defending against attackers. Sad, but true.

88 Posts
I hope there will be a way for us abnormal users to turn this back on. I don't expect Microsoft to make it easy, but I would hope Google and the Mozilla Foundation would make it a checkbox in the preferences.

2 Posts
So Yahoo says "never mind" to the user DoNotTrack setting, and now the browsers outright ignore the site coding. So much for having any control from either side (like we ever did, but still...).

AutoComplete=Off is just a necessary evil in audit land, and I imagine few of the auditors at the big financials and others know that it doesn't make much difference. Autocomplete fields and "X-Frame-Options" headers were two of the prominent audit findings last year, usually NON-negotiable fixes even as silly as they are as 'vulnerability controllers'.

47 Posts

Sign Up for Free or Log In to start participating in the conversation!