cross document messaging, html 5

2,085 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,085
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Browserfullyimplement and only server side has to support options requests and somesettingsrelatedtowhatshould be returnedThe document is from domainA and sendingrequesttodomainB browsers sendfirst an options request
  • TODO:- change the sequence from domainAtoorigin A and origin B like in the otherslides- Change the color of the messagearrows
  • cross document messaging, html 5

    1. 1. Cross document messaging Kristoffer Snabb
    2. 2. Intro• Cross domain xhr not possible in many cases due to security restrictions VS.• Hacks and methods developed to be able to do cross domain messaging
    3. 3. Classic CSRF
    4. 4. Link injection
    5. 5. Solutions to secure websites from CSRF• Same origin policy in browsers• Web site protection methods – Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attackers site cannot put the right token in its submissions – Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.) – Limiting the lifetime of session cookies – Checking the HTTP Referrer header + HTTPS
    6. 6. How to XHR cross domain?• Older solutions – JSONP = <script> element and GET requests – Document.domain = (www) example.com – Window.name = ”message to iframe and back” – Server-side proxy = lot of work – Iframe hacks = complex hack – http://easyxdm.net = javascript library using any of the above• New and beautiful – CORS (w3c working draft) – Cross document messaging (HTML 5)
    7. 7. CORS
    8. 8. Cross document messaging HTML 5
    9. 9. Comparison• Messaging • Cors – Client side proxy – Server side solution – Can be made more – Very simple to complex, client takes the implement, or configure computing overhead apache to handle CORS – Requires messaging – Only HTTP Requests protocol between the actors (documents)
    10. 10. Messaging demo• Cross document basics
    11. 11. MessageChannel• Message channel can be used to create connection between windows• Avoid conflicts with e.g. two iframes sending messages• Can be used as an abstraction• But origins are lost using channels and can be seen as insecure
    12. 12. Conclusions• Cross document messaging, requires a lot of implementation• Lot’s of possibilities on client side• Channel messaging does not work yet• CORS is a viable option
    13. 13. Articles• “A Mashup Tool for Cross-Domain Web Applications Using HTML5 Technologies”, Akiyoshi Matono, Akihito Nakamura, and Isao Kojima, 2011• “Robust Defenses for Cross-Site Request Forgery”, Adam Barth, Collin Jackson, John C. Mitchell, 2008• “Automatic and Precise Client-Side Protection against CSRF Attacks”, Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens, 2011• “Securing Frame Communication in Browsers”, By Adam Barth, Collin Jackson, and John C. Mitchell, 2008

    ×