Steven Crites
ABSTRACT
The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications.
- Craigslist. http://www.craigslist.org/, 2008, (accessed August 10, 2008).Google Scholar
- Google Maps. http://maps.google.com/, 2008, (accessed August 10, 2008).Google Scholar
- Google Maps API. http://www.google.com/apis/maps/, 2008, (accessed August 10, 2008).Google Scholar
- HousingMaps. http://www.housingmaps.com/, 2008, (accessed August 10, 2008).Google Scholar
- JSON. http://www.json.org/, 2008, (accessed August 10, 2008).Google Scholar
- OpenAjax Alliance. http://www.openajax.org/, 2008, (accessed August 10, 2008).Google Scholar
- Session store API. http://developer.mozilla.org/en/docs/Session_store_API, January 2008, (accessed August 10, 2008).Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. In Usenix Security Symposium, 2008. Google ScholarDigital Library
- J. Burke. Cross Domain Frame Communication with Fragment Identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html, June 2006, (accessed August 10, 2008).Google Scholar
- R. Cornford. Javascript Closures. http://www.jibbering.com/faq/faq_notes/closures.html, March 2004, (accessed August 10, 2008).Google Scholar
- D. Crockford. Private Members in JavaScript. http://www.crockford.com/javascript/private.html, 2001, (accessed October 31, 2007).Google Scholar
- D. Crockford. JSONRequest. http://www.json.org/JSONRequest.html, 2006, (accessed August 10, 2008).Google Scholar
- M. Foundation. Public Suffix List: Learn more about the Public Suffix List. http://publicsuffix.org/learn/, 2008, (accessed August 10, 2008).Google Scholar
- Google. google-caja. http://code.google.com/p/google-caja/, 2008, (accessed August 10, 2008).Google Scholar
- Google. Using JSON with Google Data APIs. http://code.google.com/apis/gdata/json.html, 2008, (accessed August 10, 2008).Google Scholar
- N. Hardy. The Confused Deputy: (or why capabilities might have been invented). SIGOPS Operating Systems Reviews, 22(4):36--38, 1988. Google ScholarDigital Library
- C. Jackson. JSONRequest Extension for Firefox. http://crypto.stanford.edu/jsonrequest/, 2007, (accessed August 10, 2008).Google Scholar
- C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting Browsers from DNS Rebinding Attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 421--431, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- C. Jackson and H. J. Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. In Proceedings of the 16th International World Wide Web Conference (WWW2007), pages 611--620, New York, NY, USA, May 2007. ACM. Google ScholarDigital Library
- C. Karlof, U. Shankar, J. Tygar, and D. Wagner. Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 58--71, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- F.D. Keukelaere, S. Bhola, M. Steiner, S. Chari, and S. Yoshihama. Smash: secure component model for cross-domain mashups on unmodified browsers. In WWW '08: Proceeding of the 17th international conference on World Wide Web, pages 535--544, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- Z. Leatherman. Cross Domain XHR with Firefox. http://www.zachleat.com/web/2007/08/30/cross-domain-xhr-with-firefox/, August 2007, (accessed August 10, 2008).Google Scholar
- C. Reis, S. D. Gribble, and H. M. Levy. Architectural principles for safe web programs. In Sixth Workshop on Hot Topics in Networks, 2007.Google Scholar
- J. Ruderman. The Same Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html, August 2001, (accessed August 10, 2008).Google Scholar
- J. Ruderman. Configurable Security Policies (CAPS). http://www.mozilla.org/projects/security/components/ConfigPolicy.html, April 2006, (accessed August 10, 2008).Google Scholar
- H.J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP 2007), pages 1--16, New York, NY, USA, October 2007. ACM. Google ScholarDigital Library
- Yahoo! Using JSON with Yahoo! Web Services. http://developer.yahoo.com/common/json.html, 2008, (accessed August 10, 2008).Google Scholar
Index Terms
- OMash: enabling secure web mashups via object abstractions
Recommendations
Protection and communication abstractions for web browsers in MashupOS
SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principlesWeb browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...
Protection and communication abstractions for web browsers in MashupOS
SOSP '07Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...
Compoweb: a component-oriented web architecture
WWW '08: Proceedings of the 17th international conference on World Wide WebIn this paper, client-site Web mashups are studied from component-oriented perspective, and CompoWeb, a component-oriented Web architecture, is proposed. In CompoWeb, a Web application is decomposed into Web components called gadgets. A gadget is an ...
Reviews
Eduardo B. Fernandez
Mashups are built by combining Web pages from different sources, and security is an important aspect of building usable mashups. This paper presents an access control model for mashup aggregation, based on object-oriented principles of hiding information. Pages are treated as objects that communicate only through their defined interfaces and have private areas accessible only within the page. Each page defines this interface with the types of access it allows other pages to have. Crites, Hsu, and Chen show that this approach can simulate all of the trust relationships defined in MashupOS, a predecessor system, although it requires authentication information to be defined as part of the private data of the page, which adds some complications. The approach also provides backward compatibility with applications using same origin policy, a common security policy used in mashups. The paper is clearly written and well organized, and provides a good solution for an important practical problem. A background section presents a clear discussion of security issues in browsers using mashups. Additional sections discuss examples of use, implementation aspects, potential complications, and related work. While the idea is simple, its application is not, and the approach is an ingenious use of object-oriented principles. Security is a fundamental aspect of Web applications. I recommend this paper to anybody who designs mashups. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments