Posted by Andrew.
Google has announced a number of security enhancements that "make it easier for developers to build secure web sites", writes Adam Barth, one of the software engineers working on the project. Some security features have already been implemented in other browsers, including Firefox and IE and in significant add-ons like NoScript.
Strict-Transport-Security lets a high-security web site tell the browser that it wants to be contacted over a secure connection only. That means the browser will always use HTTPS to connect to the site and will treat all HTTPS errors as hard stops (instead of prompting the user to "click through" certificate errors).
postMessage API provides a richer interaction and more secure communication between frames, and enables the creation of more secure versions of existing gadgets.
First introduced in Internet Explorer 8, X-Frame-Options is a security feature that lets web sites defend themselves against clickjacking attacks. To defend against clickjacking, a web developer can request that a web page not be loaded inside a frame by including the X-Frame-Options: deny HTTP header. X-Frame-Options is implemented in Google Chrome, Internet Explorer 8, and Safari 4.
This feature protects against a type of cross-site scripting (XSS) attack. IE8 introduced an XSS filter which checks if a script that is about to be run is also present in the HTTP request for the page, which is a strong clue that it is an XSS attack. The XSS filter is similar to those found in Internet Explorer 8 and NoScript. Google is implementing their support in the WebKit rendering engine which has some technical advantages and also allows other WebKit-based browsers, such as Apple's, to get the same benefits.