The Same-Origin Saga
Brendan Eich
AppSec USA 2012
A long time ago in a
galaxy far, far away...
Netscape 2
• 1995 platform push against looming MSFT threat
• Frames, framesets, plugins (first in Netscape 1.1)
• JavaScri...
Origin
• Take the base URL of a loaded document
• Take the scheme://host:port prefix
• Label all code and data with origin
...
Netscape 3
•<script src=”url”></script>
• Cross-site src URL allowed -- just like img
• Like #include in C, remote script ...
Apply Murphy’s Law, Iterate
• Miserable XSS history elided...
mozilla
8
mozilla
No browser wins by taking overlarge risks
• Previous slide from Collin Jackson’s USENIX Security 2011 invited talk...
Hopeful Developments
• JS is almost OCap (Object Capability)
• Browsers use OCap under the hood
• ES5 and ES6 strengthen J...
Selective Interception
meta
base
object
VM territory (C++)
JavaScript territory
Self-hosted
host object
VM handler VM hand...
Example: Membranes
• Firefox security wrappers (anti-XSS, XUL, etc.)
• Google Caja: capability-secure subset
• Object-capa...
Compartments (Isolated Heaps)
Cross-Compartment Mediation
• Cross-Origin Wrapper
Conclusions + Question
• Same-Origin Policy continues to evolve
• Better isolation, OCap membranes reduce
attack surface
•...
The Same-Origin Saga
Upcoming SlideShare
Loading in …5
×

The Same-Origin Saga

2,526 views

Published on

My AppSecUSA 2012 talk on the Same-Origin Saga, including JavaScript and Netscape history.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,526
On SlideShare
0
From Embeds
0
Number of Embeds
117
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Same-Origin Saga

  1. 1. The Same-Origin Saga Brendan Eich AppSec USA 2012
  2. 2. A long time ago in a galaxy far, far away...
  3. 3. Netscape 2 • 1995 platform push against looming MSFT threat • Frames, framesets, plugins (first in Netscape 1.1) • JavaScript, in ten days in May •window.open(url, name, options) •window.location, document.cookie •link.click(), form.submit() •javascript: (generated docs, bookmarklets) •document.write(s) still tops for ad insertion
  4. 4. Origin • Take the base URL of a loaded document • Take the scheme://host:port prefix • Label all code and data with origin • Check “same origin” by string compare • Originally, all file: URLs were same-origin! • Fixed to use file pathname as origin • Similarly for imap:, mailbox:, news:
  5. 5. Netscape 3 •<script src=”url”></script> • Cross-site src URL allowed -- just like img • Like #include in C, remote script code given same origin as loading HTML •document.domain for changing effective origin to join a super-domain
  6. 6. Apply Murphy’s Law, Iterate • Miserable XSS history elided...
  7. 7. mozilla 8
  8. 8. mozilla No browser wins by taking overlarge risks • Previous slide from Collin Jackson’s USENIX Security 2011 invited talk, titled “Crossing the Chasm: Pitching Security Research to Mainstream Browser Vendors” [slides] • Features are not free • Mozilla commissioned optional CPython integration work by Mark Hammond • Used by only one embedder • No CPython distribution for Windows or Mac OS X • High sunk and recurring engineering costs 9
  9. 9. Hopeful Developments • JS is almost OCap (Object Capability) • Browsers use OCap under the hood • ES5 and ES6 strengthen JS’s OCap nature • Better Caja/SES efficiency • “use strict” pseudo-pragma • OWASP best practices, Origin header, etc. help outside of JS attack vectors
  10. 10. Selective Interception meta base object VM territory (C++) JavaScript territory Self-hosted host object VM handler VM handler proxy handler
  11. 11. Example: Membranes • Firefox security wrappers (anti-XSS, XUL, etc.) • Google Caja: capability-secure subset • Object-capability model: an object is powerless unless given a reference to other objects • References can be made revocable through a membrane
  12. 12. Compartments (Isolated Heaps)
  13. 13. Cross-Compartment Mediation • Cross-Origin Wrapper
  14. 14. Conclusions + Question • Same-Origin Policy continues to evolve • Better isolation, OCap membranes reduce attack surface • Can we break the web cooperatively? • Label cross-site <script src=”url2”> in document from url1 with subordinate origin computed from both URLs?

×