Sciweavers

USS
2008

Securing Frame Communication in Browsers

14 years 1 months ago
Securing Frame Communication in Browsers
Many web sites embed third-party content in frames, relying on the browser's security policy to protect them from malicious content. Frames, however, are often insufficient isolation primitives because most browsers let framed content manipulate other frames through navigation. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the opensource browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also hinders communication between cooperating frames. We analyze two techniques for inter-frame communication. The first method, fragment identifier messaging, provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, postMessage, provides authentication, but we discover an attack that breaches confidentiality. We modify the postMessage API to provide confidentiality and see our modifications standardized and adopte...
Adam Barth, Collin Jackson, John C. Mitchell
Added 02 Oct 2010
Updated 02 Oct 2010
Type Conference
Year 2008
Where USS
Authors Adam Barth, Collin Jackson, John C. Mitchell
Comments (0)