Adam Barth
John C. Mitchell
Abstract
Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious content. However, frames provide insufficient isolation in browsers that let framed content navigate other frames. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also affects communication between cooperating frames. We therefore analyze two techniques for interframe communication between isolated frames. The first method, fragment identifier messaging, initially provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, <code>postMessage</code>, initially provides authentication, but we discover an attack that breaches confidentiality. We propose improvements in the <code>postMessage</code> API to provide confidentiality; our proposal has been standardized and adopted in browser implementations.
- Burke, J. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html.Google Scholar
- Crockford, D. The <module> tag. http://www.json.org/module.html.Google Scholar
- Daswani, N., Stoppelman, M. et al. The anatomy of Clickbot.A. In Proceedings of the HotBots (2007). Google ScholarDigital Library
- Dhamija, R., Tygar, J.D., Hearst, M. Why phishing works. In CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2006). Google ScholarDigital Library
- Eich, B. JavaScript: Mobility and ubiquity. http://kathrin.dagstuhl.de/files/Materials/07/07091/07091EichBrendan.Slides.pdf.Google Scholar
- Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference (1996).Google Scholar
- Guninski, G. Frame spoofing using loading two frames. Mozilla Bug 13871.Google Scholar
- Hickson, I. Re: A potential slight security enhancement to postMessage, Februrary 2008. http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-February/013949.html.Google Scholar
- Hickson, I. Re: HTML5 frame navigation policy, April 2008. http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-April/014597.html.Google Scholar
- Hickson, I. et al. HTML 5 Working Draft, http://www.whatwg.org/specs/web-apps/current-work/.Google Scholar
- Jackson, C., Barth, A. Beware of finer-grained origins. In Proceedings of the Web 2.0 Security and Privacy (W2SP) (2008).Google Scholar
- Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D. Protecting browsers from DNS rebinding attacks. In Proceedings of of the 14th ACM Conference on Computer and Communications Security (CCS) (2007). Google ScholarDigital Library
- Jackson, C., Wang, H.J. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference (WWW) (2007). Google ScholarDigital Library
- De Keukelaere, F., Bhola, S., Steiner M., Chari, S., Yoshihama, S. SMash: Secure cross-domain mashups on unmodified browsers. In Proceedings of the 17th International World Wide Web Conference (WWW) (2008). To appear. Google ScholarDigital Library
- Lowe, G. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of TACAS (volume 1055,1996), Springer Verlag. Google ScholarDigital Library
- Microsoft. SECURITY attribute (FRAME, IFRAME). http://msdn2.microsoft.com/en-us/library/ms534622(VS.85.)aspx.Google Scholar
- Needham, R.M., Schroeder, M.D. Using encryption for authentication in large networks of computers. Commun. ACM, 21,12 (1978), 993--999. Google ScholarDigital Library
- Ross, D., January 2008. Personal communication.Google Scholar
- Ruderman, J. JavaScript Security: Same Origin, http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- Stuttard, D., Pinto, M. The Web Application Hacker's Handbook. Wiley, 2007.Google Scholar
- Thorpe, D. Secure cross-domain communication in the browser. Archit. J. 12 (2007), 14--18.Google Scholar
- Wang, H.J., Fan, X., Howell, J., Jackson, C. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP) (2007). Google ScholarDigital Library
Index Terms
- Securing frame communication in browsers
Recommendations
Securing frame communication in browsers
SS'08: Proceedings of the 17th conference on Security symposiumMany web sites embed third-party content in frames, relying on the browser's security policy to protect them from malicious content. Frames, however, are often insufficient isolation primitives because most browsers let framed content manipulate other ...
Securing script-based extensibility in web browsers
USENIX Security'10: Proceedings of the 19th USENIX conference on SecurityWeb browsers are increasingly designed to be extensible to keep up with the Web's rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from ...
Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityCross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...
Comments