Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security.
And they’ve used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction.
These logical flaws are not necessarily security vulnerabilities, but they can be. They’re inconsistencies between Web platform specifications and the way these specs actually get implemented within web browsers.
WebSpec was developed by Lorenzo Veronese, Benjamin Farinier, Mauro Tempesta, Marco Squarcina, Matteo Maffei in an effort to bring rigor to web security through automated, verifiable rule checking rather than manual evaluation.