SlideShare a Scribd company logo

cross document messaging, html 5

Download as PPTX, PDF
K
Kristoffer Snabb
TechnologyBusiness
1 of 13
Cross document messaging Kristoffer Snabb
Intro • Cross domain xhr not possible in many cases due to security restrictions VS. • Hacks and methods developed to be able to do cross domain messaging
Classic CSRF
Link injection
Solutions to secure websites from CSRF • Same origin policy in browsers • Web site protection methods – Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions – Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.) – Limiting the lifetime of session cookies – Checking the HTTP Referrer header + HTTPS
How to XHR cross domain? • Older solutions – JSONP = <script> element and GET requests – Document.domain = (www) example.com – Window.name = ”message to iframe and back” – Server-side proxy = lot of work – Iframe hacks = complex hack – http://easyxdm.net = javascript library using any of the above • New and beautiful – CORS (w3c working draft) – Cross document messaging (HTML 5)
CORS
Cross document messaging HTML 5
Comparison • Messaging • Cors – Client side proxy – Server side solution – Can be made more – Very simple to complex, client takes the implement, or configure computing overhead apache to handle CORS – Requires messaging – Only HTTP Requests protocol between the actors (documents)
Messaging demo • Cross document basics
MessageChannel • Message channel can be used to create connection between windows • Avoid conflicts with e.g. two iframes sending messages • Can be used as an abstraction • But origins are lost using channels and can be seen as insecure
Conclusions • Cross document messaging, requires a lot of implementation • Lot’s of possibilities on client side • Channel messaging does not work yet • CORS is a viable option
Articles • “A Mashup Tool for Cross-Domain Web Applications Using HTML5 Technologies”, Akiyoshi Matono, Akihito Nakamura, and Isao Kojima, 2011 • “Robust Defenses for Cross-Site Request Forgery”, Adam Barth, Collin Jackson, John C. Mitchell, 2008 • “Automatic and Precise Client-Side Protection against CSRF Attacks”, Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens, 2011 • “Securing Frame Communication in Browsers”, By Adam Barth, Collin Jackson, and John C. Mitchell, 2008

Recommended

REST-Api Design & Develop
REST-Api Design & DevelopREST-Api Design & Develop
REST-Api Design & DevelopSabbir Rupom
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
www | HTTP | HTML - Tutorial
www | HTTP | HTML - Tutorialwww | HTTP | HTML - Tutorial
www | HTTP | HTML - TutorialMSA Technosoft
 
zigbee
zigbeezigbee
zigbeemahamad juber
 
World wide web architecture presentation
World wide web architecture presentationWorld wide web architecture presentation
World wide web architecture presentationImMe Khan
 
Www(alyssa) (2)
Www(alyssa) (2)Www(alyssa) (2)
Www(alyssa) (2)alyssamarieparal
 
Blind xss
Blind xssBlind xss
Blind xssRonan Dunne, CEH, SSCP
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Maisha Price
 

Recommended

REST-Api Design & Develop
REST-Api Design & DevelopREST-Api Design & Develop
REST-Api Design & DevelopSabbir Rupom
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
www | HTTP | HTML - Tutorial
www | HTTP | HTML - Tutorialwww | HTTP | HTML - Tutorial
www | HTTP | HTML - TutorialMSA Technosoft
 
zigbee
zigbeezigbee
zigbeemahamad juber
 
World wide web architecture presentation
World wide web architecture presentationWorld wide web architecture presentation
World wide web architecture presentationImMe Khan
 
Www(alyssa) (2)
Www(alyssa) (2)Www(alyssa) (2)
Www(alyssa) (2)alyssamarieparal
 
Blind xss
Blind xssBlind xss
Blind xssRonan Dunne, CEH, SSCP
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Maisha Price
 
Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best PracticesAWS Germany
 
Web Fundamental
Web FundamentalWeb Fundamental
Web FundamentalSiliconExpert Technologies
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
MTA managing text flow by using css
MTA managing text flow by using cssMTA managing text flow by using css
MTA managing text flow by using cssDhairya Joshi
 
Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1Bozhidar Boshnakov
 
introduction to web application development
introduction to web application developmentintroduction to web application development
introduction to web application developmentFLYMAN TECHNOLOGY LIMITED
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
Inet prog
Inet progInet prog
Inet progtt_aljobory
 
W-JAX Performance Workshop - Web and AJAX
W-JAX Performance Workshop - Web and AJAXW-JAX Performance Workshop - Web and AJAX
W-JAX Performance Workshop - Web and AJAXAlois Reitbauer
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
Web services protocols
Web services protocolsWeb services protocols
Web services protocolsJin Castor
 
Web fundamentals 2
Web fundamentals 2Web fundamentals 2
Web fundamentals 2Bozhidar Boshnakov
 
Website/Web Applications / Static vs Dynamic Website / Web Browser /
Website/Web Applications / Static vs Dynamic Website / Web Browser / Website/Web Applications / Static vs Dynamic Website / Web Browser /
Website/Web Applications / Static vs Dynamic Website / Web Browser / Sachin Yadav
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemZalo_app
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service DesignLorna Mitchell
 
Web Technology Fundamentals
Web Technology FundamentalsWeb Technology Fundamentals
Web Technology Fundamentalssunmitraeducation
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web PlatformSanjeev Verma, PhD
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy ServerLakshyaArora12
 
Multi-Process JavaScript Architectures
Multi-Process JavaScript ArchitecturesMulti-Process JavaScript Architectures
Multi-Process JavaScript ArchitecturesMark Trostler
 
Web services
Web servicesWeb services
Web servicesHans Granqvist
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Privacy &amp; Social Media
Privacy &amp; Social MediaPrivacy &amp; Social Media
Privacy &amp; Social Mediachuckbt
 

More Related Content

What's hot

Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best PracticesAWS Germany
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
MTA managing text flow by using css
MTA managing text flow by using cssMTA managing text flow by using css
MTA managing text flow by using cssDhairya Joshi
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
W-JAX Performance Workshop - Web and AJAX
W-JAX Performance Workshop - Web and AJAXW-JAX Performance Workshop - Web and AJAX
W-JAX Performance Workshop - Web and AJAXAlois Reitbauer
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
Web services protocols
Web services protocolsWeb services protocols
Web services protocolsJin Castor
 
Website/Web Applications / Static vs Dynamic Website / Web Browser /
Website/Web Applications / Static vs Dynamic Website / Web Browser / Website/Web Applications / Static vs Dynamic Website / Web Browser /
Website/Web Applications / Static vs Dynamic Website / Web Browser / Sachin Yadav
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemZalo_app
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service DesignLorna Mitchell
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy ServerLakshyaArora12
 
Multi-Process JavaScript Architectures
Multi-Process JavaScript ArchitecturesMulti-Process JavaScript Architectures
Multi-Process JavaScript ArchitecturesMark Trostler
 

What's hot (20)

Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best Practices
 
Web Fundamental
Web FundamentalWeb Fundamental
Web Fundamental
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 
MTA managing text flow by using css
MTA managing text flow by using cssMTA managing text flow by using css
MTA managing text flow by using css
 
Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1
 
introduction to web application development
introduction to web application developmentintroduction to web application development
introduction to web application development
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)
 
Inet prog
Inet progInet prog
Inet prog
 
W-JAX Performance Workshop - Web and AJAX
W-JAX Performance Workshop - Web and AJAXW-JAX Performance Workshop - Web and AJAX
W-JAX Performance Workshop - Web and AJAX
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
Web services protocols
Web services protocolsWeb services protocols
Web services protocols
 
Web fundamentals 2
Web fundamentals 2Web fundamentals 2
Web fundamentals 2
 
Website/Web Applications / Static vs Dynamic Website / Web Browser /
Website/Web Applications / Static vs Dynamic Website / Web Browser / Website/Web Applications / Static vs Dynamic Website / Web Browser /
Website/Web Applications / Static vs Dynamic Website / Web Browser /
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time system
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service Design
 
Web Technology Fundamentals
Web Technology FundamentalsWeb Technology Fundamentals
Web Technology Fundamentals
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy Server
 
Multi-Process JavaScript Architectures
Multi-Process JavaScript ArchitecturesMulti-Process JavaScript Architectures
Multi-Process JavaScript Architectures
 
Web services
Web servicesWeb services
Web services
 

Viewers also liked

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Privacy &amp; Social Media
Privacy &amp; Social MediaPrivacy &amp; Social Media
Privacy &amp; Social Mediachuckbt
 
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETVirtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETKrishna T
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshellLennart Schoors
 

Viewers also liked (9)

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Privacy &amp; Social Media
Privacy &amp; Social MediaPrivacy &amp; Social Media
Privacy &amp; Social Media
 
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETVirtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshell
 
Introduction to Html5
Introduction to Html5Introduction to Html5
Introduction to Html5
 
html5.ppt
html5.ppthtml5.ppt
html5.ppt
 

Similar to cross document messaging, html 5

Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxAASTHAJAJOO
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsysUsing communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsysCodemotion Tel Aviv
 
Ajax:From Desktop Applications towards Ajax Web Applications
Ajax:From Desktop Applications towards Ajax Web ApplicationsAjax:From Desktop Applications towards Ajax Web Applications
Ajax:From Desktop Applications towards Ajax Web ApplicationsSiva Kumar
 
Performance Evaluation of XMPP on the Web
Performance Evaluation of XMPP on the WebPerformance Evaluation of XMPP on the Web
Performance Evaluation of XMPP on the WebMarkku Laine
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
WEB-DBMS A quick reference
WEB-DBMS A quick referenceWEB-DBMS A quick reference
WEB-DBMS A quick referenceMarc Dy
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumSteven Miller
 
Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016Jack Zheng
 
Proxy http ftp dns email
Proxy http ftp dns emailProxy http ftp dns email
Proxy http ftp dns emailHeera K S
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackPonraj
 
D1-3-Signaling
D1-3-SignalingD1-3-Signaling
D1-3-SignalingOleg Levy
 

Similar to cross document messaging, html 5 (20)

world wide web
world wide webworld wide web
world wide web
 
Web
WebWeb
Web
 
Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptx
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsysUsing communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
 
Ajax:From Desktop Applications towards Ajax Web Applications
Ajax:From Desktop Applications towards Ajax Web ApplicationsAjax:From Desktop Applications towards Ajax Web Applications
Ajax:From Desktop Applications towards Ajax Web Applications
 
Web
WebWeb
Web
 
Performance Evaluation of XMPP on the Web
Performance Evaluation of XMPP on the WebPerformance Evaluation of XMPP on the Web
Performance Evaluation of XMPP on the Web
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
WEB-DBMS A quick reference
WEB-DBMS A quick referenceWEB-DBMS A quick reference
WEB-DBMS A quick reference
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
IP UNIT 1.pptx
IP UNIT 1.pptxIP UNIT 1.pptx
IP UNIT 1.pptx
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming Curriculum
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
How the Internet Works
How the Internet WorksHow the Internet Works
How the Internet Works
 
Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016
 
Proxy http ftp dns email
Proxy http ftp dns emailProxy http ftp dns email
Proxy http ftp dns email
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
 
D1-3-Signaling
D1-3-SignalingD1-3-Signaling
D1-3-Signaling
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

cross document messaging, html 5

  • 1. Cross document messaging Kristoffer Snabb
  • 2. Intro • Cross domain xhr not possible in many cases due to security restrictions VS. • Hacks and methods developed to be able to do cross domain messaging
  • 5. Solutions to secure websites from CSRF • Same origin policy in browsers • Web site protection methods – Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions – Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.) – Limiting the lifetime of session cookies – Checking the HTTP Referrer header + HTTPS
  • 6. How to XHR cross domain? • Older solutions – JSONP = <script> element and GET requests – Document.domain = (www) example.com – Window.name = ”message to iframe and back” – Server-side proxy = lot of work – Iframe hacks = complex hack – http://easyxdm.net = javascript library using any of the above • New and beautiful – CORS (w3c working draft) – Cross document messaging (HTML 5)
  • 9. Comparison • Messaging • Cors – Client side proxy – Server side solution – Can be made more – Very simple to complex, client takes the implement, or configure computing overhead apache to handle CORS – Requires messaging – Only HTTP Requests protocol between the actors (documents)
  • 10. Messaging demo • Cross document basics
  • 11. MessageChannel • Message channel can be used to create connection between windows • Avoid conflicts with e.g. two iframes sending messages • Can be used as an abstraction • But origins are lost using channels and can be seen as insecure
  • 12. Conclusions • Cross document messaging, requires a lot of implementation • Lot’s of possibilities on client side • Channel messaging does not work yet • CORS is a viable option
  • 13. Articles • “A Mashup Tool for Cross-Domain Web Applications Using HTML5 Technologies”, Akiyoshi Matono, Akihito Nakamura, and Isao Kojima, 2011 • “Robust Defenses for Cross-Site Request Forgery”, Adam Barth, Collin Jackson, John C. Mitchell, 2008 • “Automatic and Precise Client-Side Protection against CSRF Attacks”, Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens, 2011 • “Securing Frame Communication in Browsers”, By Adam Barth, Collin Jackson, and John C. Mitchell, 2008

Editor's Notes

  1. Browserfullyimplement and only server side has to support options requests and somesettingsrelatedtowhatshould be returnedThe document is from domainA and sendingrequesttodomainB browsers sendfirst an options request
  2. TODO:- change the sequence from domainAtoorigin A and origin B like in the otherslides- Change the color of the messagearrows