Google has announced a number of security enhancements that "make it easier for developers to build secure web sites", writes Adam Barth, one of the software engineers working on the project. Some security features have already been implemented in other browsers, including Firefox and IE and in significant add-ons like NoScript.
Chrome Security: Strict-Transport-Security
Strict-Transport-Security lets a high-security web site tell the browser that it wants to be contacted over a secure connection only. That means the browser will always use HTTPS to connect to the site and will treat all HTTPS errors as hard stops (instead of prompting the user to "click through" certificate errors).
Chrome Security: Cross-Origin Communication with postMessage
postMessage API provides a richer interaction and more secure communication between frames, and enables the creation of more secure versions of existing gadgets.
Chrome Security: CSRF Protection via Origin Header
The Origin header is a new HTML5 feature that helps you defend your site against cross-site request forgery (CSRF) attacks. In a CSRF attack, a malicious web site, say attacker.com, instructs the user's browser to send an HTTP request to a target server, say example.com, that confuses the example.com server into performing some action.Chrome Security: ClickJacking Protection with X-Frame-Options
First introduced in Internet Explorer 8, X-Frame-Options is a security feature that lets web sites defend themselves against clickjacking attacks. To defend against clickjacking, a web developer can request that a web page not be loaded inside a frame by including the X-Frame-Options: deny HTTP header. X-Frame-Options is implemented in Google Chrome, Internet Explorer 8, and Safari 4.
Chrome Security: Reflective XSS Protection
This feature protects against a type of cross-site scripting (XSS) attack. IE8 introduced an XSS filter which checks if a script that is about to be run is also present in the HTTP request for the page, which is a strong clue that it is an XSS attack. The XSS filter is similar to those found in Internet Explorer 8 andNoScript. Google is implementing their support in the WebKit rendering engine which has some technical advantages and also allows other WebKit-based browsers, such as Apple's, to get the same benefits.