ABSTRACT
The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications.
- Craigslist. http://www.craigslist.org/, 2008, (accessed August 10, 2008).Google Scholar
- Google Maps. http://maps.google.com/, 2008, (accessed August 10, 2008).Google Scholar
- Google Maps API. http://www.google.com/apis/maps/, 2008, (accessed August 10, 2008).Google Scholar
- HousingMaps. http://www.housingmaps.com/, 2008, (accessed August 10, 2008).Google Scholar
- JSON. http://www.json.org/, 2008, (accessed August 10, 2008).Google Scholar
- OpenAjax Alliance. http://www.openajax.org/, 2008, (accessed August 10, 2008).Google Scholar
- Session store API. http://developer.mozilla.org/en/docs/Session_store_API, January 2008, (accessed August 10, 2008).Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. In Usenix Security Symposium, 2008. Google ScholarDigital Library
- J. Burke. Cross Domain Frame Communication with Fragment Identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html, June 2006, (accessed August 10, 2008).Google Scholar
- R. Cornford. Javascript Closures. http://www.jibbering.com/faq/faq_notes/closures.html, March 2004, (accessed August 10, 2008).Google Scholar
- D. Crockford. Private Members in JavaScript. http://www.crockford.com/javascript/private.html, 2001, (accessed October 31, 2007).Google Scholar
- D. Crockford. JSONRequest. http://www.json.org/JSONRequest.html, 2006, (accessed August 10, 2008).Google Scholar
- M. Foundation. Public Suffix List: Learn more about the Public Suffix List. http://publicsuffix.org/learn/, 2008, (accessed August 10, 2008).Google Scholar
- Google. google-caja. http://code.google.com/p/google-caja/, 2008, (accessed August 10, 2008).Google Scholar
- Google. Using JSON with Google Data APIs. http://code.google.com/apis/gdata/json.html, 2008, (accessed August 10, 2008).Google Scholar
- N. Hardy. The Confused Deputy: (or why capabilities might have been invented). SIGOPS Operating Systems Reviews, 22(4):36--38, 1988. Google ScholarDigital Library
- C. Jackson. JSONRequest Extension for Firefox. http://crypto.stanford.edu/jsonrequest/, 2007, (accessed August 10, 2008).Google Scholar
- C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting Browsers from DNS Rebinding Attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 421--431, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- C. Jackson and H. J. Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. In Proceedings of the 16th International World Wide Web Conference (WWW2007), pages 611--620, New York, NY, USA, May 2007. ACM. Google ScholarDigital Library
- C. Karlof, U. Shankar, J. Tygar, and D. Wagner. Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 58--71, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- F.D. Keukelaere, S. Bhola, M. Steiner, S. Chari, and S. Yoshihama. Smash: secure component model for cross-domain mashups on unmodified browsers. In WWW '08: Proceeding of the 17th international conference on World Wide Web, pages 535--544, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- Z. Leatherman. Cross Domain XHR with Firefox. http://www.zachleat.com/web/2007/08/30/cross-domain-xhr-with-firefox/, August 2007, (accessed August 10, 2008).Google Scholar
- C. Reis, S. D. Gribble, and H. M. Levy. Architectural principles for safe web programs. In Sixth Workshop on Hot Topics in Networks, 2007.Google Scholar
- J. Ruderman. The Same Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html, August 2001, (accessed August 10, 2008).Google Scholar
- J. Ruderman. Configurable Security Policies (CAPS). http://www.mozilla.org/projects/security/components/ConfigPolicy.html, April 2006, (accessed August 10, 2008).Google Scholar
- H.J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP 2007), pages 1--16, New York, NY, USA, October 2007. ACM. Google ScholarDigital Library
- Yahoo! Using JSON with Yahoo! Web Services. http://developer.yahoo.com/common/json.html, 2008, (accessed August 10, 2008).Google Scholar
Index Terms
- OMash: enabling secure web mashups via object abstractions
Recommendations
Protection and communication abstractions for web browsers in MashupOS
SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principlesWeb browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...
Protection and communication abstractions for web browsers in MashupOS
SOSP '07Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...
Compoweb: a component-oriented web architecture
WWW '08: Proceedings of the 17th international conference on World Wide WebIn this paper, client-site Web mashups are studied from component-oriented perspective, and CompoWeb, a component-oriented Web architecture, is proposed. In CompoWeb, a Web application is decomposed into Web components called gadgets. A gadget is an ...
Comments