Your SlideShare is downloading. ×
  • Like
JSFoo Chennai 2012
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

JSFoo Chennai 2012


My presentation at JSFoo Chennai 2012, IIT Madras Research Park

My presentation at JSFoo Chennai 2012, IIT Madras Research Park

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Krishna Chaitanya TSecurity & Privacy Research LabInfosys Labs
  • 2.  A web application which combines content from multiple origins to create a new service Integrator-party combining the content Gadget-integrated content Provides more value add Fun, easy to DIY. It’s all JS madness!
  • 3.  Approaches  Embedding external scripts  Loading content via iframes Requirements  Interaction  Communication Security  Isolation of origins  Secure data exchange
  • 4.  Browser has to isolate different origins Origin = protocol://host:port , http://localhost:81/, Privileges within origin  Full network access  Read/Write access to DOM  Storage Scripts of one origin cannot access DOM of another Strangely, scripts themselves are exempted from SOP!!
  • 5.  Very good interactivity Assumption – Script is from trusted source No isolation of origin Embedded scripts have privileges of imported page, NOT source server Ads, widgets, AJAX libraries all have same rights 
  • 6.  “SOP-Prevents useful things. Allows dangerous things” “If there is script from two or more sources, the application is not secure. Period.” “Fundamentally, XSS is a confusion of interests” “A mashup is a self-inflicted XSS attack!” Douglas Crockford - JavaScript Architect, Yahoo
  • 7.  Restricting JavaScript to a subset Object-capability security model  Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made. Popular JavaScript subsets:  Caja (iGoogle)  FBJS (Facebook)  ADSafe (Yahoo) Learning curve, usability issues
  • 8.  Separate security context for each origin Less interactive than JS approach Comply with SOP <!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> //page in same origin alert(frames[0].contentDocument.body); //works fine <!-- This is **NOT** allowed --> <iframe src=""> </iframe> //page outside origin alert(frames[0].contentDocument.body); //throws error
  • 9.  Beware! Frames can be navigated to different origins! Frame navigation is NOT the same as SOP! Frame-Frame relationships  Can script in Frame A modify DOM of Frame B?  Can Script in Frame A “navigate” Frame B? <iframe src=“"> </iframe> <!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction <!-- This is allowed --> alert(frames[0].src=“”); //works fine - frame navigation
  • 10."", "awglogin"); Courtesy: Stanford Web Security Lab
  • 11. top.frames[1].location = "";top.frames[2].location = ""; ... Courtesy: Stanford Web Security Lab
  • 12. PermissiveWindowDescendantChild
  • 13.  FIM=Fragment Identifier Messaging Limited data, no acknowledgements. Navigation doesn’t reload page Not a secure channel //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }
  • 14.  HTML5 postMessage API-the savior! Cross-origin client side communication Network-like channel between frames Securely abstracts multiple principals Frames can integrate widgets with improved trust!
  • 15.  Syntax:otherwindow.postMessage(message, targetOrigin); targetOrigin can be a trusted source/wildcard *“*”+//Posting message to a cross domain partner.frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");//Retrieving message from the senderwindow.onmessage = function (e) { if (e.origin == http://localhost) { //sanitize and accept data }};
  • 16.  Sandbox – whitelisting restrictions on iframe content <iframe sandbox src=""></iframe> Disable scripts, forms, popups, top navigation etc. CORS – Access-Control-Allow-Origin AJAX PostMessage CORS
  • 17.  Framed sites are susceptible to clickjacking & frame phishing attacks Bust frames, avoid surprises. Left: Genuine communication Right: Stealing data with Recursive Mashup Attack
  • 18. References “Secure Frame Communication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab W3C HTML5 Specification - Dive into HTML5 –
  • 19.