Securing frame communication in browsers

Communications of the ACM

Volumn 52, Issue 6, 2009, Pages 83-91

  Barth, Adam ^a   Jackson, Collin ^b   Mitchell, John C ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b STANFORD UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INTER-FRAME; OPEN-SOURCE; SECURITY POLICY; THIRD-PARTY CONTENT;

AUTHENTICATION; NAVIGATION; NETWORK PROTOCOLS;

INTERNET PROTOCOLS;

EID: 67449088776     PISSN: 00010782     EISSN: 15577317     Source Type: Journal    
DOI: 10.1145/1516046.1516066     Document Type: Article

References (22)

1. Burke, J. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot. com/2006/06/cross-domain-framecommunication-with.html.
2. Crockford, D. The tag. http://www.json.org/module.html.
3. Daswani, N., Stoppelman, M. et al. The anatomy of Clickbot.A. In Proceedings of the HotBots (2007).
4. Dhamija, R., Tygar, J.D., Hearst, M. Why phishing works. In CHI '06: Proceedings of the SIQCHI Conference on Human Factors in Computing Systems (2006).
5. Eich, B. JavaScript: Mobility and ubiquity, http://kathrin.dagstuhl.de/ files/Materials/07/07091/07091 EichBrendan.Slides.pdf.
6. Feiten, E.W., Balfanz, D., Dean, D., Wallach, D.S. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference (1996).
7. Quninski, G. Frame spoofing using loading two frames. Mozilla Bug 13871.
8. Hickson, I. Re: A potential slight security enhancement to postMessage, Februrary 2008, http:// lists.whatwg.org/pipermail/whatwgwhatwg.org/2008- February/013949. html.
9. Hickson, I. Re: HTML5 frame navigation policy, April 2008, http:// lists.whatwg.org/pipermail/whatwgwhatwg.org/2008-April/014597.html.
10. Hickson, I. et al. HTML 5 Working Draft. http://www.whatwg.org/specs/ web-apps/ current-work/
11. Jackson, C., Barth, A. Beware of finergrained origins. In Proceedings of the Web 2.0 Security and Privacy (W2SP) (2008).
12. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D. Protecting browsers from DNS rebinding attacks, In Proceedings of of the 14th ACM Conference on Computer and Communications Security (CCS) (2007).
13. Jackson, C., Wang, H.J. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference (WWW) (2007).
14. De Keukelaere, F., Bhola, S., Steiner, M., Chari, S., Yoshihama, S, SMash: Secure cross-domain mashups on unmodified browsers. In Proceedings of the 17th International World Wide Web Conference (WWW) (2008). To appear.
15. Lowe, G. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of TACAS (volume 1055, 1996), Springer Verlag.
16. Microsoft. SECURITY attribute (FRAME, IFRAME). http://msdn2 microsoft.com/en-us/library/ ms534622(VS.85.)aspx.
17. Needham, R.M., Schroeder, M.D. Using encryption for authentication in large networks of computers. Commun. ACM, 21, 12 (1978), 993-999.
18. Ross, D., January 2008. Personal communication.
19. Ruderman, J. JavaScript Security: Same Origin, http://www.mozilla.org/ projects/security/components/ same-origin.html.
20. Stuttard, D., Pinto, M. The Web Application Hacker's Handbook. Wiley, 2007.
21. Thorpe, D. Secure cross-domain communication in the browser. Archit. J. 12 (2007), 14-18.
22. Wang, H.J., Fan, X., Howell, J., Jackson, C. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP) (2007).