Scribd Logo
Upload

Welcome to Scribd!

  • CS 142 Winter 2009 Frame Isolation and the Same Origin Policy

    Uploaded by

    subramanyam62
    33 views32 pages
    This document outlines the goals and techniques used in web browsers to isolate content from different origins for security purposes. The same-origin policy aims to prevent sites from reading or modifying content from other sites. Frames can isolate content but also allow communication between windows from the same origin. Recent developments have added ways for limited, opt-in cross-origin communication like Access-Control-Allow-Origin headers and postMessage. The document discusses the tradeoffs and evolution of policies for navigation and frame interactions.

    Original Description:

    Original Title

    07-frame-isolation

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines the goals and techniques used in web browsers to isolate content from different origins for security purposes. The same-origin policy aims to prevent sites from reading or modifying content from other sites. Frames can isolate content but also allow communication between windows from the same origin. Recent developments have added ways for limited, opt-in cross-origin communication like Access-Control-Allow-Origin headers and postMessage. The document discusses the tradeoffs and evolution of policies for navigation and frame interactions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    33 views32 pages

    CS 142 Winter 2009 Frame Isolation and the Same Origin Policy

    Uploaded by

    subramanyam62
    This document outlines the goals and techniques used in web browsers to isolate content from different origins for security purposes. The same-origin policy aims to prevent sites from reading or modifying content from other sites. Frames can isolate content but also allow communication between windows from the same origin. Recent developments have added ways for limited, opt-in cross-origin communication like Access-Control-Allow-Origin headers and postMessage. The document discusses the tradeoffs and evolution of policies for navigation and frame interactions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 32

    CS 142 Winter 2009

    Frame isolation and the


    same origin policy

    Collin Jackson
    Outline

    Security User Interface


     Goals of a browser
     When is it safe to type my password?

    Same-Origin Policy
     How sites are isolated
     Opting out of isolation

    Navigation
     Frame hijacking
     Navigation policy
    Running Remote Code is Risky
    Integrity
     Compromise your machine
     Install malware rootkit
     Transact on your accounts

    Confidentiality
     Read your information
     Steal passwords
     Read your email
    3
    Browser Sandbox
    Goal
     Run remote web applications safely
     Limited access to OS, network, and
    browser data

    Approach
     Isolate sites in different security contexts
     Browser manages resources, like an OS

    4
    Security User Interface
    When is it safe to type my
    password?

    5
    Safe to type your password?

    6
    Safe to type your password?

    7
    Safe to type your password?

    8
    Safe to type your password?
    ???

    ???
    9
    Safe to type your password?

    10
    Frames
    Modularity src = google.com/…
    name = awglogin

     Brings together content


    from multiple sources
     Client-side aggregation

    Delegation src = 7.gmodules.com/...


     Frame can draw only on its name = remote_iframe_7

    own rectangle
    Popup windows
    With hyperlinks
    <a href=“http://www.b.com” target=“foo”>click
    here</a>

    With JavaScript
    mywin = window.open(“http://www.b.com”, “foo”,
    “width=10,height=10”)
     Navigating named window re-uses existing one
     Can access properties of remote window:
    mywin.document.body
    mywin.location = “http://www.c.com”;
    Windows Interact

    13
    Are all interactions good?

    14
    Same-Origin Policy
    How does the browser isolate
    different sites?

    15
    Policy Goals
    Safe to visit an evil web site

    Safe to visit two pages at the same time


     Address bar
    distinguishes them

    Allow safe delegation


    Same Origin Policy
    Origin = protocol://host:port
    Site A

    Full access to same origin


     Full network access
     Read/write DOM
     Storage (more on Weds.)

    Site A context
    Assumptions?
    Site A context
    Library import
    <script src=https://seal.verisign.com/getseal?
    host_name=a.com></script>

    VeriSign

    • Script has privileges of imported page, NOT source server.


    • Can script other pages in this origin, load more scripts
    • Other forms of importing
    Data export
    Many ways to send information to other
    origins
    <form action="http://www.bank.com/">
    <input name="data" type="hidden" value="hello">
    </form>
    <img src="http://www.b.com/?data=hello"/>

    No user involvement required


    Cannot read back response
    Domain Relaxation

    www.facebook.com chat.facebook.com

    www.facebook.com
    facebook.com
    www.facebook.com facebook.com
    chat.facebook.com

    Origin: scheme, host, (port), hasSetDomain


    Try document.domain = document.domain
    Site A Site B

    Recent Developments

    Cross-origin network requests Site A context Site B context

    Access-Control-Allow-Origin: <list of domains>


    Access-Control-Allow-Origin: *
    Cross-origin client side communication
    Client-side messaging via navigation (older browsers)
    postMessage (newer browsers)
    window.postMessage
    New API for inter-frame communication
     Supported in latest betas of many browsers

     A network-like channel between frames

    Add a contact

    Share contacts
    postMessage syntax

    frames[0].postMessage("Attack at dawn!",
    "http://b.com/");

    window.addEventListener("message", function (e) {


    if (e.origin == "http://a.com") {
    ... e.data ... }
    }, false);

    Attack at dawn!

    Facebook
    Anecdote
    Navigation
    Who decides what content goes in a
    frame?

    24
    A Guninski Attack

    awglogin

    window.open("https://attacker.com/", "awglogin");

    25
    What should the policy be?

    Sibling
    Frame Bust
    Child
    Descendant

    26
    Legacy Browser Behavior
    Browser Policy
    IE 6 (default) Permissive
    IE 6 (option) Child
    IE7 (no Flash) Descendant
    IE7 (with Flash) Permissive
    Firefox 2 Window
    Safari 3 Permissive
    Opera 9 Window
    HTML 5 Child
    Window Policy Anomaly

    top.frames[1].location = "http://www.attacker.com/...";
    top.frames[2].location = "http://www.attacker.com/...";
    ...
    Adoption of Descendant Policy
    Browser Policy
    IE7 (no Flash) Descendant
    IE7 (with Flash) Descendant
    Firefox 3 Descendant
    Safari 3 Descendant
    Opera 9 (many policies)
    HTML 5 Descendant
    Why include “targetOrigin”?
    What goes wrong?
    frames[0].postMessage("Attack at dawn!");

    Messages sent to frames, not principals


     When would this happen?

    30
    Conclusion
    Same origin policy is flexible
     Address bar reflects the principal that's in control
     Content may be affected by other principals

    Delegation
     Library import
     Domain relaxation
     Pixel delegation via frames

    Communication
     Data export
     Opt-in messaging
    Reading
    Securing Browser Frame
    Communication. Adam Barth, Collin
    Jackson, and John C. Mitchell

    http://code.google.com/p/browsersec/w
    iki/Part2#Same-origin_policy

    You might also like