1 / 32

Frame isolation and the same origin policy

Winter 2009. CS 142. Frame isolation and the same origin policy. Collin Jackson. Outline. Security User Interface Goals of a browser When is it safe to type my password? Same-Origin Policy How sites are isolated Opting out of isolation Navigation Frame hijacking Navigation policy.

lalo
Télécharger la présentation

Frame isolation and the same origin policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Winter 2009 CS 142 Frame isolation and thesame origin policy Collin Jackson

  2. Outline • Security User Interface • Goals of a browser • When is it safe to type my password? • Same-Origin Policy • How sites are isolated • Opting out of isolation • Navigation • Frame hijacking • Navigation policy

  3. Running Remote Code is Risky • Integrity • Compromise your machine • Install malware rootkit • Transact on your accounts • Confidentiality • Read your information • Steal passwords • Read your email

  4. Browser Sandbox • Goal • Run remote web applications safely • Limited access to OS, network, and browser data • Approach • Isolate sites in different security contexts • Browser manages resources, like an OS

  5. Security User Interface When is it safe to type my password?

  6. Safe to type your password?

  7. Safe to type your password?

  8. Safe to type your password?

  9. Safe to type your password? ??? ???

  10. Safe to type your password?

  11. Frames Modularity Brings together content from multiple sources Client-side aggregation Delegation Frame can draw only on its own rectangle src = google.com/… name = awglogin src = 7.gmodules.com/... name = remote_iframe_7

  12. Popup windows • With hyperlinks <a href=“http://www.b.com” target=“foo”>click here</a> • With JavaScript mywin = window.open(“http://www.b.com”, “foo”, “width=10,height=10”) • Navigating named window re-uses existing one • Can access properties of remote window: mywin.document.body mywin.location = “http://www.c.com”;

  13. Windows Interact

  14. Are all interactions good?

  15. Same-Origin Policy How does the browser isolate different sites?

  16. Policy Goals • Safe to visit an evil web site • Safe to visit two pages at the same time • Address bar distinguishes them • Allow safe delegation

  17. Same Origin Policy • Origin = protocol://host:port • Full access to same origin • Full network access • Read/write DOM • Storage (more on Weds.) Assumptions? Site A Site A context Site A context

  18. Library import <script src=https://seal.verisign.com/getseal?host_name=a.com></script> • Script has privileges of imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing VeriSign

  19. Data export • Many ways to send information to other origins <form action="http://www.bank.com/"> <input name="data" type="hidden" value="hello"> </form> <img src="http://www.b.com/?data=hello"/> • No user involvement required • Cannot read back response

  20. Domain Relaxation • Origin: scheme, host, (port), hasSetDomain • Try document.domain = document.domain www.facebook.com chat.facebook.com www.facebook.com facebook.com facebook.com chat.facebook.com www.facebook.com

  21. Site B Site A Recent Developments • Cross-origin network requests • Access-Control-Allow-Origin: <list of domains> • Access-Control-Allow-Origin: * • Cross-origin client side communication • Client-side messaging via navigation (older browsers) • postMessage (newer browsers) Site A context Site B context

  22. window.postMessage • New API for inter-frame communication • Supported in latest betas of many browsers • A network-like channel between frames Add a contact Share contacts

  23. postMessage syntax frames[0].postMessage("Attack at dawn!", "http://b.com/"); window.addEventListener("message", function (e) { if (e.origin == "http://a.com") { ... e.data ... } }, false); Attack at dawn! Facebook Anecdote

  24. Navigation Who decides what content goes in a frame?

  25. A Guninski Attack awglogin window.open("https://attacker.com/", "awglogin");

  26. What should the policy be? Sibling Frame Bust Child Descendant

  27. Legacy Browser Behavior

  28. Window Policy Anomaly top.frames[1].location = "http://www.attacker.com/..."; top.frames[2].location = "http://www.attacker.com/..."; ...

  29. Adoption of Descendant Policy

  30. Why include “targetOrigin”? • What goes wrong? frames[0].postMessage("Attack at dawn!"); • Messages sent to frames, not principals • When would this happen?

  31. Conclusion • Same origin policy is flexible • Address bar reflects the principal that's in control • Content may be affected by other principals • Delegation • Library import • Domain relaxation • Pixel delegation via frames • Communication • Data export • Opt-in messaging

  32. Reading • Securing Browser Frame Communication. Adam Barth, Collin Jackson, and John C. Mitchell • http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

More Related