OMash: Enabling secure web mashups via object abstractions

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2008, Pages 99-107

  Crites, Steven ^a   Hsu, Francis ^a   Chen, Hao ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Browser; Communication; Mashup; Object abstraction; Protection; Same origin policy; Security model; Web

Indexed keywords

BROWSER; MASHUP; OBJECT ABSTRACTION; PROTECTION; SAME ORIGIN POLICY; SECURITY MODEL; WEB;

ABSTRACTING; COMMUNICATION; SECURITY OF DATA; WORLD WIDE WEB;

WEB BROWSERS;

EID: 70349300102     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1455770.1455784     Document Type: Conference Paper

References (27)

1. Craigslist. http: //www.craigslist. org/, 2008, (accessed August 10,2008).
2. Google Maps, http://maps.google.com/, 2008, (accessed August 10, 2008).
3. Google Maps API. http://www.g00gle.com/api5/maps/, 2008, (accessed August 10, 2008).
4. HousingMaps. http: //www.housingmaps .coin/, 2008, (accessed August 10, 2008).
5. JSON. http://www. json.org/, 2008, (accessed August 10, 2008).
6. OpenAjax Alliance, http://www.openajax.org/, 2008, (accessed August 10, 2008).
7. Session store API. http://developer.mozilla.org/en/ docs/Session-store- API, January 2008, (accessed August 10, 2008).
8. A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. In Usenix Security Symposium, 2008.
9. J. Burke. Cross Domain Frame Communication with Fragment Identifiers. http://tagneto.blogspot.com/200 6/0 6/cross-domain-frame-communication-with. html,June 2006, (accessed August 10, 2008).
10. R. Cornford. Javascript Closures, http: //www. jibbering.com/faq/f aq-notes/closures .html, March 2004, (accessed August 10, 2008).
11. D. Crockford. Private Members in JavaScript, http: //www.crockford.com/ javascript/private.html, 2001, (accessed October 31, 2007).
12. D. Crockford. JSONRequest. http://www.json.org/JSONRequest.html, 2006, (accessed August 10, 2008).
13. M. Foundation. Public Suffix List: Learn more about the Public Suffix List, http://publicsuffix.org/learn/, 2008, (accessed August 10, 2008).
14. Google, google-caja. http://code.google.com/p/google-caja/, 2008, (accessed August 10, 2008).
15. Google. Using JSON with Google Data APIs. http://code.google.com/apis/ gdata/json.html, 2008, (accessed August 10, 2008).
16. N. Hardy. The Confused Deputy: (or why capabilities might have been invented). SIGOPS Operating Systems Reviews, 22(4):36-38, 1988.
17. C. Jackson. JSONRequest Extension for Firefox. http://crypto.stanford. edu/jsonrequest/,2007, (accessed August 10, 2008).
18. C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting Browsers from DNS Rebinding Attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 421-431, New York, NY, USA, 2007. ACM.
19. C. Jackson and H. J. Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. In Proceedings of the 16th International World Wide Web Conference (WWW2007), pages 611-620, New York, NY, USA, May 2007. ACM.
20. C. Karlof, U. Shankar, J. Tygar, and D. Wagner. Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 58-71, New York, NY, USA, 2007. ACM.
21. F. D. Keukelaere, S. Bhoia, M. Steiner, S. Chari, and S. Yoshihama. Smash: secure component model for cross-domain mashups on unmodified browsers. In IVWW '08: Proceeding of the 17th international conference on World Wide Web, pages 535-544, New York, NY, USA, 2008. ACM.
22. Z. Leatherman. Cross Domain XHR with Firefox. http://www.zachleat.com/ web/2007/08/30/ cross-domain-xhr-with-firefox/, August 2007, (accessed August 10, 2008).
23. C. Reis, S. D. Gribble, and H. M. Levy. Architectural principles for safe web programs. In Sixth Workshop on Hot Topics in Networks, 2007.
24. J. Ruderman. The Same Origin Policy. http://www.mozilla.org/projects/ security/ components/same-or igin.html, August 2001, (accessed August 10,2008).
25. J. Ruderman. Configurable Security Policies (CAPS). http://www.mozilla. org/projects/security/ components/Conf igPolicy.html, April 2006, (accessed August 10, 2008).
26. H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP 2007), pages 1-16, New York, NY, USA, October 2007. ACM.
27. Yahoo! Using JSON with Yahoo! Web Services. http://developer.yahoo.com/ common/json.html, 2008, (accessed August 10, 2008).