More Web Proxy on the site http://driver.im/

research-article

Free access

Securing frame communication in browsers

Authors:

Collin Jackson,

John C. MitchellAuthors Info & Claims

Communications of the ACM, Volume 52, Issue 6

Pages 83 - 91

https://doi.org/10.1145/1516046.1516066

Published: 01 June 2009 Publication History

All formats PDF

Abstract

Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious content. However, frames provide insufficient isolation in browsers that let framed content navigate other frames. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also affects communication between cooperating frames. We therefore analyze two techniques for interframe communication between isolated frames. The first method, fragment identifier messaging, initially provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, <code>postMessage</code>, initially provides authentication, but we discover an attack that breaches confidentiality. We propose improvements in the <code>postMessage</code> API to provide confidentiality; our proposal has been standardized and adopted in browser implementations.

References

[1]

Burke, J. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html.

[2]

Crockford, D. The <module> tag. http://www.json.org/module.html.

[3]

Daswani, N., Stoppelman, M. et al. The anatomy of Clickbot.A. In Proceedings of the HotBots (2007).

Digital Library

[4]

Dhamija, R., Tygar, J.D., Hearst, M. Why phishing works. In CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2006).

Digital Library

[5]

Eich, B. JavaScript: Mobility and ubiquity. http://kathrin.dagstuhl.de/files/Materials/07/07091/07091EichBrendan.Slides.pdf.

[6]

Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference (1996).

[7]

Guninski, G. Frame spoofing using loading two frames. Mozilla Bug 13871.

[8]

Hickson, I. Re: A potential slight security enhancement to postMessage, Februrary 2008. http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-February/013949.html.

[9]

Hickson, I. Re: HTML5 frame navigation policy, April 2008. http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-April/014597.html.

[10]

Hickson, I. et al. HTML 5 Working Draft, http://www.whatwg.org/specs/web-apps/current-work/.

[11]

Jackson, C., Barth, A. Beware of finer-grained origins. In Proceedings of the Web 2.0 Security and Privacy (W2SP) (2008).

[12]

Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D. Protecting browsers from DNS rebinding attacks. In Proceedings of of the 14th ACM Conference on Computer and Communications Security (CCS) (2007).

Digital Library

[13]

Jackson, C., Wang, H.J. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference (WWW) (2007).

Digital Library

[14]

De Keukelaere, F., Bhola, S., Steiner M., Chari, S., Yoshihama, S. SMash: Secure cross-domain mashups on unmodified browsers. In Proceedings of the 17th International World Wide Web Conference (WWW) (2008). To appear.

Digital Library

[15]

Lowe, G. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of TACAS (volume 1055,1996), Springer Verlag.

Digital Library

[16]

Microsoft. SECURITY attribute (FRAME, IFRAME). http://msdn2.microsoft.com/en-us/library/ms534622(VS.85.)aspx.

[17]

Needham, R.M., Schroeder, M.D. Using encryption for authentication in large networks of computers. Commun. ACM, 21,12 (1978), 993--999.

Digital Library

[18]

Ross, D., January 2008. Personal communication.

[19]

Ruderman, J. JavaScript Security: Same Origin, http://www.mozilla.org/projects/security/components/same-origin.html.

[20]

Stuttard, D., Pinto, M. The Web Application Hacker's Handbook. Wiley, 2007.

[21]

Thorpe, D. Secure cross-domain communication in the browser. Archit. J. 12 (2007), 14--18.

[22]

Wang, H.J., Fan, X., Howell, J., Jackson, C. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP) (2007).

Digital Library

Cited By

Veronese LFarinier BBernardo PTempesta MSquarcina MMaffei M(2023)WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179465(2761-2779)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179465
Kori DNaik R(2022)Information Security Awareness Among Postgraduate StudentsHandbook of Research on Technological Advances of Library and Information Science in Industry 5.010.4018/978-1-6684-4755-0.ch014(270-286)Online publication date: 14-Oct-2022
https://doi.org/10.4018/978-1-6684-4755-0.ch014
LEE JLEE K(2022)Spy in Your Eye: Spycam Attack via Open-Sided Mobile VR DeviceIEICE Transactions on Information and Systems10.1587/transinf.2022EDL8042E105.D:10(1817-1820)Online publication date: 1-Oct-2022
https://doi.org/10.1587/transinf.2022EDL8042
Show More Cited By

Index Terms

Securing frame communication in browsers
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Securing frame communication in browsers
SS'08: Proceedings of the 17th conference on Security symposium

Many web sites embed third-party content in frames, relying on the browser's security policy to protect them from malicious content. Frames, however, are often insufficient isolation primitives because most browsers let framed content manipulate other ...
Securing script-based extensibility in web browsers
USENIX Security'10: Proceedings of the 19th USENIX conference on Security

Web browsers are increasingly designed to be extensible to keep up with the Web's rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from ...
Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Communications of the ACM

Communications of the ACM Volume 52, Issue 6

One Laptop Per Child: Vision vs. Reality

June 2009

128 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/1516046

Issue’s Table of Contents

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 June 2009

Published in CACM Volume 52, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Popular
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

66
Total Citations
View Citations
6,114
Total Downloads

Downloads (Last 12 months)346
Downloads (Last 6 weeks)85

Reflects downloads up to 19 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Veronese LFarinier BBernardo PTempesta MSquarcina MMaffei M(2023)WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179465(2761-2779)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179465
Kori DNaik R(2022)Information Security Awareness Among Postgraduate StudentsHandbook of Research on Technological Advances of Library and Information Science in Industry 5.010.4018/978-1-6684-4755-0.ch014(270-286)Online publication date: 14-Oct-2022
https://doi.org/10.4018/978-1-6684-4755-0.ch014
LEE JLEE K(2022)Spy in Your Eye: Spycam Attack via Open-Sided Mobile VR DeviceIEICE Transactions on Information and Systems10.1587/transinf.2022EDL8042E105.D:10(1817-1820)Online publication date: 1-Oct-2022
https://doi.org/10.1587/transinf.2022EDL8042
Jannett LMladenov VMainka CSchwenk JYin HStavrou ACremers CShi E(2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560692
Sun SMa HSong ZZhang R(2022)WebCloud: Web-Based Cloud Storage for Secure Data Sharing Across PlatformsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.304078419:3(1871-1884)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3040784
Sprecher SKerschbaumer CKirda E(2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00021
van Oorschot Pvan Oorschot P(2021)Web and Browser SecurityComputer Security and the Internet10.1007/978-3-030-83411-1_9(245-279)Online publication date: 14-Oct-2021
https://doi.org/10.1007/978-3-030-83411-1_9
Steffens MStock BLigatti JOu XKatz JVigna G(2020)PMForce: Systematically Analyzing postMessage Handlers at ScaleProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417267(493-505)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417267
Eriksson BSabelfeld A(2020)AutoNav: Evaluation and Automatization of Web Navigation PoliciesProceedings of The Web Conference 202010.1145/3366423.3380207(1320-1331)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380207
Skeirik SMeseguer JRocha C(2020)Verification of the IBOS Browser Security Properties in Reachability LogicRewriting Logic and Its Applications10.1007/978-3-030-63595-4_10(176-196)Online publication date: 25-Apr-2020
https://dl.acm.org/doi/10.1007/978-3-030-63595-4_10
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents