Frame isolation and the same origin policy - PowerPoint PPT Presentation

About This Presentation
Title:

Frame isolation and the same origin policy

Description:

... facebook.com. chat.facebook.com. facebook.com. facebook.com ... Facebook. Anecdote. Attack at dawn! 24. Navigation. Who decides what content goes in a frame? ... – PowerPoint PPT presentation

Number of Views:166
Avg rating:3.0/5.0
Slides: 33
Provided by: anted
Category:

less

Transcript and Presenter's Notes

Title: Frame isolation and the same origin policy


1
Frame isolation and thesame origin policy
CS 142
Winter 2009
  • Collin Jackson

2
Outline
  • Security User Interface
  • Goals of a browser
  • When is it safe to type my password?
  • Same-Origin Policy
  • How sites are isolated
  • Opting out of isolation
  • Navigation
  • Frame hijacking
  • Navigation policy

3
Running Remote Code is Risky
  • Integrity
  • Compromise your machine
  • Install malware rootkit
  • Transact on your accounts
  • Confidentiality
  • Read your information
  • Steal passwords
  • Read your email

4
Browser Sandbox
  • Goal
  • Run remote web applications safely
  • Limited access to OS, network, and browser data
  • Approach
  • Isolate sites in different security contexts
  • Browser manages resources, like an OS

5
Security User Interface
  • When is it safe to type my password?

6
Safe to type your password?
7
Safe to type your password?
8
Safe to type your password?
9
Safe to type your password?
???
???
10
Safe to type your password?
11
Frames
  • Modularity
  • Brings together content from multiple sources
  • Client-side aggregation
  • Delegation
  • Frame can draw only on its own rectangle

src google.com/ name awglogin
src 7.gmodules.com/... name remote_iframe_7
12
Popup windows
  • With hyperlinks
  • lta hrefhttp//www.b.com targetfoogtclick
    herelt/agt
  • With JavaScript
  • mywin window.open(http//www.b.com, foo,
    width10,height10)
  • Navigating named window re-uses existing one
  • Can access properties of remote window
  • mywin.document.body
  • mywin.location http//www.c.com

13
Windows Interact
14
Are all interactions good?
15
Same-Origin Policy
  • How does the browser isolate different sites?

16
Policy Goals
  • Safe to visit an evil web site
  • Safe to visit two pages at the same time
  • Address bar
  • distinguishes them
  • Allow safe delegation

17
Same Origin Policy
  • Origin protocol//hostport
  • Full access to same origin
  • Full network access
  • Read/write DOM
  • Storage (more on Weds.)
  • Assumptions?

Site A
Site A context
Site A context
18
Library import
  • ltscript srchttps//seal.verisign.com/getseal?host
    _namea.comgtlt/scriptgt
  • Script has privileges of imported page, NOT
    source server.
  • Can script other pages in this origin, load more
    scripts
  • Other forms of importing

VeriSign
19
Data export
  • Many ways to send information to other origins
  • ltform action"http//www.bank.com/"gt
  • ltinput name"data" type"hidden" value"hello"gt
  • lt/formgt
  • ltimg src"http//www.b.com/?datahello"/gt
  • No user involvement required
  • Cannot read back response

20
Domain Relaxation
  • Origin scheme, host, (port), hasSetDomain
  • Try document.domain document.domain

www.facebook.com
chat.facebook.com
www.facebook.com
facebook.com
facebook.com
chat.facebook.com
www.facebook.com
21
Recent Developments
Site B
Site A
  • Cross-origin network requests
  • Access-Control-Allow-Origin ltlist of domainsgt
  • Access-Control-Allow-Origin
  • Cross-origin client side communication
  • Client-side messaging via navigation (older
    browsers)
  • postMessage (newer browsers)

Site A context
Site B context
22
window.postMessage
  • New API for inter-frame communication
  • Supported in latest betas of many browsers
  • A network-like channel between frames

Add a contact
Share contacts
23
postMessage syntax
  • frames0.postMessage("Attack at dawn!",
  • "http//b.com/")
  • window.addEventListener("message", function (e)
  • if (e.origin "http//a.com")
  • ... e.data ...
  • , false)

Attack at dawn!
Facebook Anecdote
24
Navigation
  • Who decides what content goes in a frame?

25
A Guninski Attack
awglogin
window.open("https//attacker.com/", "awglogin")
26
What should the policy be?
Sibling
Frame Bust
Child
Descendant
27
Legacy Browser Behavior
Browser Policy
IE 6 (default) Permissive
IE 6 (option) Child
IE7 (no Flash) Descendant
IE7 (with Flash) Permissive
Firefox 2 Window
Safari 3 Permissive
Opera 9 Window
HTML 5 Child
28
Window Policy Anomaly
top.frames1.location "http//www.attacker.com/
..." top.frames2.location "http//www.attacke
r.com/..." ...
29
Adoption of Descendant Policy
Browser Policy
IE7 (no Flash) Descendant
IE7 (with Flash) Descendant
Firefox 3 Descendant
Safari 3 Descendant
Opera 9 (many policies)
HTML 5 Descendant
30
Why include targetOrigin?
  • What goes wrong?
  • frames0.postMessage("Attack at dawn!")
  • Messages sent to frames, not principals
  • When would this happen?

31
Conclusion
  • Same origin policy is flexible
  • Address bar reflects the principal that's in
    control
  • Content may be affected by other principals
  • Delegation
  • Library import
  • Domain relaxation
  • Pixel delegation via frames
  • Communication
  • Data export
  • Opt-in messaging

32
Reading
  • Securing Browser Frame Communication. Adam Barth,
    Collin Jackson, and John C. Mitchell
  • http//code.google.com/p/browsersec/wiki/Part2Sam
    e-origin_policy
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Frame isolation and the same origin policy" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!