Scribd
Upload
112 views32 pages

Frame Isolation and The Same Origin Policy: Collin Jackson

This document outlines the goals and techniques used in web browsers to isolate content from different origins for security purposes. The same-origin policy aims to prevent sites from reading or modifying content from other sites. Frames can isolate content but also allow communication between windows from the same origin. Recent developments have added ways for limited, opt-in cross-origin communication like Access-Control-Allow-Origin headers and postMessage. The document discusses the tradeoffs and evolution of policies for navigation and frame interactions.

Uploaded by

subramanyam62
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
112 views32 pages

Frame Isolation and The Same Origin Policy: Collin Jackson

This document outlines the goals and techniques used in web browsers to isolate content from different origins for security purposes. The same-origin policy aims to prevent sites from reading or modifying content from other sites. Frames can isolate content but also allow communication between windows from the same origin. Recent developments have added ways for limited, opt-in cross-origin communication like Access-Control-Allow-Origin headers and postMessage. The document discusses the tradeoffs and evolution of policies for navigation and frame interactions.

Uploaded by

subramanyam62
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 32

CS 142 Winter 2009

Frame isolation and the


same origin policy

Collin Jackson
Outline

Security User Interface


 Goals of a browser
 When is it safe to type my password?

Same-Origin Policy
 How sites are isolated
 Opting out of isolation

Navigation
 Frame hijacking
 Navigation policy
Running Remote Code is Risky
Integrity
 Compromise your machine
 Install malware rootkit
 Transact on your accounts

Confidentiality
 Read your information
 Steal passwords
 Read your email
3
Browser Sandbox
Goal
 Run remote web applications safely
 Limited access to OS, network, and
browser data

Approach
 Isolate sites in different security contexts
 Browser manages resources, like an OS

4
Security User Interface
When is it safe to type my
password?

5
Safe to type your password?

6
Safe to type your password?

7
Safe to type your password?

8
Safe to type your password?
???

???
9
Safe to type your password?

10
Frames
Modularity src = [Link]/…
name = awglogin

 Brings together content


from multiple sources
 Client-side aggregation

Delegation src = [Link]/...


 Frame can draw only on its name = remote_iframe_7

own rectangle
Popup windows
With hyperlinks
<a href=“[Link] target=“foo”>click
here</a>

With JavaScript
mywin = [Link](“[Link] “foo”,
“width=10,height=10”)
 Navigating named window re-uses existing one
 Can access properties of remote window:
[Link]
[Link] = “[Link]
Windows Interact

13
Are all interactions good?

14
Same-Origin Policy
How does the browser isolate
different sites?

15
Policy Goals
Safe to visit an evil web site

Safe to visit two pages at the same time


 Address bar
distinguishes them

Allow safe delegation


Same Origin Policy
Origin = protocol://host:port
Site A

Full access to same origin


 Full network access
 Read/write DOM
 Storage (more on Weds.)

Site A context
Assumptions?
Site A context
Library import
<script src=[Link]
host_name=[Link]></script>

VeriSign

• Script has privileges of imported page, NOT source server.


• Can script other pages in this origin, load more scripts
• Other forms of importing
Data export
Many ways to send information to other
origins
<form action="[Link]
<input name="data" type="hidden" value="hello">
</form>
<img src="[Link]

No user involvement required


Cannot read back response
Domain Relaxation

[Link] [Link]

[Link]
[Link]
[Link] [Link]
[Link]

Origin: scheme, host, (port), hasSetDomain


Try [Link] = [Link]
Site A Site B

Recent Developments

Cross-origin network requests Site A context Site B context

Access-Control-Allow-Origin: <list of domains>


Access-Control-Allow-Origin: *
Cross-origin client side communication
Client-side messaging via navigation (older browsers)
postMessage (newer browsers)
[Link]
New API for inter-frame communication
 Supported in latest betas of many browsers

 A network-like channel between frames

Add a contact

Share contacts
postMessage syntax

frames[0].postMessage("Attack at dawn!",
"[Link]

[Link]("message", function (e) {


if ([Link] == "[Link] {
... [Link] ... }
}, false);

Attack at dawn!

Facebook
Anecdote
Navigation
Who decides what content goes in a
frame?

24
A Guninski Attack

awglogin

[Link]("[Link] "awglogin");

25
What should the policy be?

Sibling
Frame Bust
Child
Descendant

26
Legacy Browser Behavior
Browser Policy
IE 6 (default) Permissive
IE 6 (option) Child
IE7 (no Flash) Descendant
IE7 (with Flash) Permissive
Firefox 2 Window
Safari 3 Permissive
Opera 9 Window
HTML 5 Child
Window Policy Anomaly

[Link][1].location = "[Link]
[Link][2].location = "[Link]
...
Adoption of Descendant Policy
Browser Policy
IE7 (no Flash) Descendant
IE7 (with Flash) Descendant
Firefox 3 Descendant
Safari 3 Descendant
Opera 9 (many policies)
HTML 5 Descendant
Why include “targetOrigin”?
What goes wrong?
frames[0].postMessage("Attack at dawn!");

Messages sent to frames, not principals


 When would this happen?

30
Conclusion
Same origin policy is flexible
 Address bar reflects the principal that's in control
 Content may be affected by other principals

Delegation
 Library import
 Domain relaxation
 Pixel delegation via frames

Communication
 Data export
 Opt-in messaging
Reading
Securing Browser Frame
Communication. Adam Barth, Collin
Jackson, and John C. Mitchell

[Link]
iki/Part2#Same-origin_policy

You might also like