== web/Zalewski本 ==

まえがきより: 本書の構成
{{{
The layout of this book is centered on exploring some of the most prominent, high-level browser
building blocks and various security-relevant topics defrived from this narrative.
}}}
ブラウザを構成する高位の要素のうち、もっとも目立つものを中心に解説し、これらの話から派生する
各種のセキュリティ関係の話題も取り上げる。

== contents ==
http://nostarch.com/tangledweb

{{{
Table of Contents

Preface and Acknowledgments

1. Security in the World of Web Applications

Part I: Anatomy of the Web
2. It Starts with A URL
3. Hypertext Transfer Protocol
4. Hypertext Markup Language
5. Cascading Style Sheets
6. Browser-Side Scripts
7. Non-HTML Document Types
8. Content Rendering with Browser Plug-Ins

Part II: Browser Security Features
9. Content Isolation Logic
10. Origin Inheritance
11. Life Outside Same-Origin Rules
12. Other Security Boundaries
13. Content Recognition Mechanisms
14. Dealing with Rogue Scripts
15. Extrinsic Site Privileges

Part III: A Glimpse of Things to Come
16. New and Upcoming Security Features
17. Other Browser Mechanisms of Note
18. Common Web Vulnerabilities

Epilogue
Notes
Index
}}}

amazon.com (評あり)
http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

1  SECURITY  IN  THE  WORLD  OF WEB  APPLICATIONS   1
{{{
Information Security in a Nutshell ............................................ 1
Flirting with Formal Solutions ................................................... 2
Enter Risk Management ................................................................ 4
Enlightenment Through Taxonomy ............................................. 6
Toward Practical Approaches ....................................................... 7
A Brief History of the Web ............................................................ 8
Tales of the Stone Age: 1945 to 1994 ....................................... 8
The First Browser Wars: 1995 to 1999 ................................... 10
The Boring Period: 2000 to 2003 .............................................. 11
Web 2.0 and the Second Browser Wars: 2004 and Beyond ....12
The Evolution of a Threat.............................................................. 14
The User as a Security Flaw........................................................... 14
The Cloud, or the Joys of Communal Living............................... 15
Nonconvergence of Visions ........................................................... 15
Cross-Browser Interactions: Synergy in Failure ..................... 16
The Breakdown of the Client-Server Divide ............................. 17
}}}

PART  I :  ANATOMY  OF  THE WEB

2  IT  STARTS  WITH  A  URL  23

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.


{{{
Uniform Resource Locator Structure.......................................... 24
Scheme Name .................................................................................... 24
Indicator of a Hierarchical URL ................................................... 25
Credentials to Access the Resource........................................... 26
Server Address ................................................................................ 26
Server Port ....................................................................................... 27
Hierarchical File Path..................................................................... 27
Query String................................................................ 28
Fragment ID.................................................................. 28
Putting It All Together Again ................................ 29
Reserved Characters and Percent Encoding ............................. 31
Handling of Non-US-ASCII Text...................................................... 32
Common URL Schemes and Their Function................................... 36
Browser-Supported, Document-Fetching Protocols .................. 36
Protocols Claimed by Third-Party Applications and Plug-ins... 36
Nonencapsulating Pseudo-Protocols............................................... 37
Encapsulating Pseudo-Protocols ..................................................... 37
Closing Note on Scheme Detection .................................................. 38
Resolution of Relative URLs .............................................................. 38
Security Engineering Cheat Sheet.................................................... 40
When Constructing Brand-New URLs Based on User Input ........ 40
When Designing URL Input Filters .................................................... 40
When Decoding Parameters Received Through URLs ................... 40
}}}

3  HYPERTEXT  TRANSFER  PROTOCOL  41
{{{
Basic Syntax of HTTP Traffic .............................................................. 42
The Consequences of Supporting HTTP/0.9 .................................... 44
Newline Handling Quirks....................................................................... 45
Proxy Requests......................................................................................... 46
Resolution of Duplicate or Conflicting Headers.............................. 47
Semicolon-Delimited Header Values.................................................... 48
Header Character Set and Encoding Schemes ................................... 49
Referer Header Behavior ........................................................................ 51
HTTP Request Types ................................................................................ 52
GET........................................................... 52
POST ........................................................52
HEAD ........................................................53
OPTIONS.................................................. 53
PUT .......................................................... 53
DELETE .................................................... 53
TRACE ...................................................... 53
CONNECT ................................................ 54
Other HTTP Methods ...........................54
Server Response Codes......................... 54
200–299: Success ................................. 54
300–399: Redirection and Other Status Messages.......................... 55
400–499: Client-Side Error ................................................................... 55
500–599: Server-Side Error ................................................................... 56
Consistency of HTTP Code Signaling ................................................... 56
Keepalive Sessions .................................................................................... 56
Chunked Data Transfers ........................................................................... 57
Caching Behavior ........................................................................................ 58
HTTP Cookie Semantics.............................................................................. 60
HTTP Authentication.................................................................................. 62
Protocol-Level Encryption and Client Certificates .......................... 64
Extended Validation Certificates........................................................... 65
Error-Handling Rules .................................................................................. 65
Security Engineering Cheat Sheet............................................................ 67
When Handling User-Controlled Filenames in Content-Disposition Headers ....... 67
When Putting User Data in HTTP Cookies.............................................. 67
When Sending User-Controlled Location Headers .............................. 67
When Sending User-Controlled Redirect Headers............................... 67
When Constructing Other Types of User-Controlled Requests or Responses........ 67
}}}