Securing frame communication in browsers

Proceedings of the 17th USENIX Security Symposium

Volumn , Issue , 2008, Pages 17-30

  Barth, Adam ^a   Jackson, Collin ^a   Mitchell, John C ^a  

^a STANFORD UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; NETWORK PROTOCOLS;

IN BROWSERS; INTER-FRAME; OPEN SOURCE BROWSER; SECURITY POLICY; THIRD-PARTY CONTENT;

NETWORK SECURITY;

EID: 85055250091     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (40)

1. Adam Barth et al. Adopt “descendant” frame navigation policy to prevent frame hijacking. https://bugzilla.mozilla.org/show_bug.cgi?id=408052.
2. Adam Barth and Collin Jackson. Protecting browsers from frame hijacking attacks, December 2007. http://crypto.stanford.edu/frames/.
3. James Burke. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication -with.html.
4. Douglas Crockford. ADsafe: Making JavaScript safe for advertising. http://adsafe.org/.
5. Douglas Crockford. The tag. http://www.json.org/module.html.
6. Neil Daswani, Micheal Stoppelman, et al. The anatomy of Clickbot.A. In Proc. HotBots, 2007.
7. Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In CHI’06: Proceedings of the SIGCHI conference on human factors in computing systems, 2006.
8. Brendan Eich. JavaScript: Mobility and ubiquity. http://kathrin.dagstuhl.de/files/Materials/07/07091/07091. EichBrendan.Slides.pdf.
9. Facebook. Badges. http://www.facebook.com/help.php?page=4.
10. Facebook. Facebook Markup Language (FBML). http://wiki.developers.facebook.com/index.php/FBML.
11. Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, 1996.
12. Flickr API. http://flickr.com/services/api/.
13. Google. Caja: A source-to-source translator for securing JavaScript-based web content. http://code.google.com/p/google-caja/.
14. Google. Google Maps API. http://code.google.com/apis/maps/.
15. iGoogle. http://www.google.com/ig.
16. Georgi Guninski. Frame spoofing using loading two frames. https://bugzilla.mozilla.org/show_bug.cgi?id=13871.
17. Ian Hickson. Re: A potential slight security enhancement to postMessage, Februrary 2008. http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-February/ 013949.html.
18. Ian Hickson. Re: HTML5 frame navigation policy, April 2008. http://lists.whatwg.org/pipermail/whatwg-whatwg.org/ 2008-April/014597.html.
19. Ian Hickson et al. HTML 5 Working Draft. http://www.whatwg.org/specs/web-apps/current-work/.
20. Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh. Protecting browsers from DNS rebinding attacks. In Proceedings of of the 14th ACM Conference on Computer and Communications Security (CCS), 2007.
21. Collin Jackson and Helen J. Wang. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007.
22. Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, and Sachiko Yoshihama. SMash: Secure cross-domain mashups on unmodified browsers. In Proceedings of the 17th International World Wide Web Conference (WWW), 2008.
23. Gavin Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of TACAS, volume 1055. Springer Verlag, 1996.
24. Henry Mason. No support for MessageEvent interface, 2007. https://bugs.webkit.org/show_bug.cgi?id=14994.
25. Microsoft. postMessage method. http://msdn.microsoft.com/en-us/library/cc197015(VS.85).aspx.
26. Microsoft. SECURITY attribute. http://msdn2.microsoft.com/en-us/library/ms534622(VS.85).aspx.
27. Microsoft. Try the Windows Live Contacts control. http://dev.live.com/mashups/trypresencecontrol/.
28. Microsoft. Windows Live. http://home.live.com/.
29. Roger M. Needham and Michael D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, 1978.
30. National Institute of Standards and Technology. CVE-2007-5858, December 2007.
31. Charlie Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In 7th Symposium on Operating Systems Design and Implementation (OSDI), 2006.
32. Adam Roben et al. Change postMessage/MessageEvent to match HTML5 wrt. exposing origin vs. domain/uri. https://bugs.webkit.org/show_bug.cgi?id=17331.
33. David Ross, 2008. Personal communication.
34. J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same-origin. html.
35. Hallvord Steen, 2008. Personal communication.
36. Danny Thorpe. Secure cross-domain communication in the browser. The Architecture Journal, 12:14–18, July 2007. http://msdn2.microsoft.com/en-us/library/bb735305.aspx.
37. Jeff Walden. Implement HTML5’s cross-document messaging API (postMessage), 2007–2008. https://bugzilla.mozilla.org/show_bug.cgi?id=387706.
38. Jeff Walden et al. Update postMessage and MessageEvent to reflect domain/uri being replaced by origin, optional origin argument. https://bugzilla.mozilla.org/show_bug.cgi?id=417075.
39. Helen J. Wang, Xiaofeng Fan, Jon Howell, and Collin Jackson. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), 2007.
40. Yahoo! My Yahoo! http://my.yahoo.com/.