Safety on the Client Script

Security of Browser
In this
lecture.

01 INTRODUCTION 02 JSON

03 SAME-ORIGIN POLICY 04 SANDBOX

05 Client-Side vs. Server-Side

INTRODUCTION
In recent years, with the
development of the Internet, it
can be said that the browser is
the biggest entrance to the
Internet; the vast majority of
users access the Internet using
the browser. This has resulted in
a tremendous rise
in the browser market
 The same-origin policy is
essentially an agreement
Defining the Same – among browser manufacturers
origin policy mainly Microsoft, Apple,
Google, Mozilla and Opera—on
a standard way to limit
functionality of scripting code
running in users’ web browsers.
 An Important Distinction:
Client-Side vs. Server-Side

01 The same-origin policy has absolutely no effect on

what pages or sites any server-side code can access.

The same-origin policy only applies to

03
browsers running client-side scripting code
 An Important Distinction:
Client-Side vs. Server-Side

01 What the difference is ? and why browsers

would go to the trouble of implementing a
restriction like this when there are no
restrictions at all for the server code?.

03 The answer is simple: cookies.

 An Important Distinction:
Client-Side vs. Server-Side

01 For example. when I visit www.amazon.com, my

browser sends a cookie back with my request (in this
particular case, the cookie’s name is “x-main") with a
value that uniquely identifies me to Amazon (let’s say
the value is “l2345”)

This is why when I visit Amazon, I get a

03 completely different page than when you
visit Amazon.
 Example

A Server must be active to reply data to the robot and in this case a small Python server program is used. This
example below is a Server that listen for incomming requests. The server runs on a PC with the IP addreess
192.168.0.100 and uses port 30000.When a connection is received the server will monitor the data received
and if the data is “asking_for_data” the server will reply with 200, 50, 45 back to the Client. These data is the
offset the target item is away from the idle position of the robot
Example-server
side
Example-clinet
side
 main point of the
same-origin policy
is not to prevent web applications
from reading resources from other sites,
but rather to prevent web applications
from reading personalized, potentially
sensitive and private resources from other
sites
 A World Without the Same Origin
Policy
application developers and attackers may
have in common is a shared loathing of
the same-origin policy. WHY??

Answer : it keeps them from getting to

other sites‘ data.
 But their reasons are different :

the attacker wants data so he can sell it, and the

developer may just have an idea for creating a new
mashup (a web site combining the functionality of two or
more other sites).
Ex. TwitterVision is a mashup of Twitter and Google
Maps that shows you where tweets are coming from
in real time. But for better and worse, the same-origin
policy gets in theway in both cases.
 JSON
JSON (JavaScript Object Notation) is an In JSON , web services
open-standard format that uses human- send data as strings,
readable text to transmit data objects. not native JavaScript
objects
So, it have to convert it into an object before you can
Many web services now use JSON as their
work with it

data format instead of XML because JSON

is generally more compact, more human- So, it have to convert
readable, and because JSON objects are it into an object
also valid JavaScript before
So, it have to convert it into an object before you can
you can
work with it
work with it
 SALFORD &

JSON
CO.

One popular but insecure way is to use the

JavaScript function “eval" to evaluate the JSON string (that is,
execute it as if it were code) and create an object from it
A better alternative
So, it have toto
work with it
“eval“
convert is
it into an object to
before you use
can the native JavaScript
function JSON .parse, which is much more secure and won’t
execute malicious script

JSON.parse is available in IE as ofto convert

So, it have IE8,it into an object before you can
work with it
Firefox as of version 3.5, Safari as of 4.0,
and all versions of Chrome
Eval JSON Parse
function function
 SANDBOX

in computer security
a sandbox is a security mechanism for separating running programs. It is often used to
execute untested or untrusted programs or code, possibly from unverified or untrusted
third parties, suppliers, users or websites, without risking harm to the host machine or
operating system.

In t h e s e n s e o f p ro v i d i n g a h i g h l y co n tr o l l e d
e n vi ro n m e n t , s a n d b o x e s m a y b e se e n a s a s p e ci f i c
e x a m p l e o f v i rt u a l i z a t i o n . Sa n db o x i n g i s f r e q u e n t l y u s e d to t es t
u n v e ri f i e d p ro g ra m s t h a t m a y c o n t a i n a v i r u s o r o th e r m a l i c i o u s
co d e , w i t h o u t a l l o w i n g t h e s o f t w a re t o h a r m t h e h o st d e v i c e
THANK
The same-origin policy is essentially an
agreement among browser
manufacturers mainly Microsoft, Apple,
The same-origin policy only applies to browsers running
Google, Mozilla and Opera—on a
client-side scripting code
standard way to limit functionality of
scripting code running in users’ web
browsers.

YOU