Checks whether the browser supports the HTML 5 cross-document messaging API that enables secure communication between origins.
Checks whether the browser natively supports the JSON.parse API. Native JSON parsing is safer than using eval.
Checks whether the browser supports the toStaticHTML API for sanitizing untrusted inputs.
Checks whether the browser supports the httpOnly cookie attribute, which is a mitigation for cross-site scripting attacks.
Checks whether the browser supports the X-Frame-Options API, which prevents clickjacking attacks by restricting how pages may be framed.
Documents encoded in JSON format can be read across domains if the browser supports a mutable Array constructor that is called when array literals are encountered. JSON hijacking is also possible if the browser supports a mutable setter function for the Object prototype that is called when object literals are encountered.
Script in stylesheets can be used by attackers to evade server-side XSS filters. Support for CSS expressions has been discontinued in IE8 standards mode and XBL in stylesheets has been restricted to same-origin code in separate files in Firefox. We check to make sure that script injected into a site via stylesheet does not execute.
Checks whether the browser supports the sandbox attribute, which enables a set of extra restrictions on any content hosted by the iframe.
Checks whether the browser supports Strict Transport Security, which enables web sites to declare themselves accessible only via secure connections.
Checks whether the browser supports the APIs for making cross origin requests.
Most browsers display visited links with a :visited CSS pseudo class. A user's browsing history can be sniffed by testing the visited links by checking this CSS class. We test whether browsers restrict access to the :visited pseudo class.
Checks whether the browser supports Content Security Policy, which reduces the XSS attack surfaces for websites that wish to opt-in.