2. Intro
• Cross domain xhr not possible in many cases
due to security restrictions
VS.
• Hacks and methods developed to be able to
do cross domain messaging
5. Solutions to secure websites from
CSRF
• Same origin policy in browsers
• Web site protection methods
– Requiring a secret, user-specific token in all form
submissions and side-effect URLs prevents CSRF; the
attacker's site cannot put the right token in its
submissions
– Requiring the client to provide authentication data in
the same HTTP Request used to perform any
operation with security implications (money transfer,
etc.)
– Limiting the lifetime of session cookies
– Checking the HTTP Referrer header + HTTPS
6. How to XHR cross domain?
• Older solutions
– JSONP = <script> element and GET requests
– Document.domain = (www) example.com
– Window.name = ”message to iframe and back”
– Server-side proxy = lot of work
– Iframe hacks = complex hack
– http://easyxdm.net = javascript library using any of
the above
• New and beautiful
– CORS (w3c working draft)
– Cross document messaging (HTML 5)
9. Comparison
• Messaging • Cors
– Client side proxy – Server side solution
– Can be made more – Very simple to
complex, client takes the implement, or configure
computing overhead apache to handle CORS
– Requires messaging – Only HTTP Requests
protocol between the
actors (documents)
11. MessageChannel
• Message channel can be used to create
connection between windows
• Avoid conflicts with e.g. two iframes sending
messages
• Can be used as an abstraction
• But origins are lost using channels and can be
seen as insecure
12. Conclusions
• Cross document messaging, requires a lot of
implementation
• Lot’s of possibilities on client side
• Channel messaging does not work yet
• CORS is a viable option
13. Articles
• “A Mashup Tool for Cross-Domain Web Applications
Using HTML5 Technologies”, Akiyoshi Matono, Akihito
Nakamura, and Isao Kojima, 2011
• “Robust Defenses for Cross-Site Request Forgery”,
Adam Barth, Collin Jackson, John C. Mitchell, 2008
• “Automatic and Precise Client-Side Protection against
CSRF Attacks”, Philippe De Ryck, Lieven Desmet,
Wouter Joosen, and Frank Piessens, 2011
• “Securing Frame Communication in Browsers”, By
Adam Barth, Collin Jackson, and John C. Mitchell, 2008
Editor's Notes
Browserfullyimplement and only server side has to support options requests and somesettingsrelatedtowhatshould be returnedThe document is from domainA and sendingrequesttodomainB browsers sendfirst an options request
TODO:- change the sequence from domainAtoorigin A and origin B like in the otherslides- Change the color of the messagearrows