frame isolation and the same origin policy collin jackson cs 142 winter 2009
TRANSCRIPT
Frame isolation and thesame origin policy
Collin Jackson
CS 142 Winter 2009
Outline
Security User Interface Goals of a browser When is it safe to type my password?
Same-Origin Policy How sites are isolated Opting out of isolation
Navigation Frame hijacking Navigation policy
3
Running Remote Code is Risky
Integrity Compromise your machine Install malware rootkit Transact on your accounts
Confidentiality Read your information Steal passwords Read your email
4
Browser Sandbox
Goal Run remote web applications safely Limited access to OS, network, and
browser data
Approach Isolate sites in different security
contexts Browser manages resources, like an OS
5
Security User Interface
When is it safe to type my password?
Safe to type your password?
6
Safe to type your password?
7
Safe to type your password?
8
Safe to type your password?
9
???
???
Safe to type your password?
10
Frames
Modularity Brings together content
from multiple sources Client-side aggregation
Delegation Frame can draw only on
its own rectangle
src = 7.gmodules.com/...name = remote_iframe_7
src = google.com/…name = awglogin
Popup windows
With hyperlinks<a href=“http://www.b.com” target=“foo”>click here</a>
With JavaScriptmywin = window.open(“http://www.b.com”, “foo”, “width=10,height=10”)
Navigating named window re-uses existing one Can access properties of remote window:
mywin.document.bodymywin.location =
“http://www.c.com”;
Windows Interact
13
Are all interactions good?
14
15
Same-Origin Policy
How does the browser isolate different sites?
Policy Goals
Safe to visit an evil web site
Safe to visit two pages at the same time Address bar
distinguishes them
Allow safe delegation
Same Origin Policy
Origin = protocol://host:port
Full access to same origin Full network access Read/write DOM Storage (more on Weds.)
Assumptions?
Site A
Site A context
Site A context
Library import
<script src=https://seal.verisign.com/getseal?host_name=a.com></script>
• Script has privileges of imported page, NOT source server.• Can script other pages in this origin, load more scripts• Other forms of importing
VeriSignVeriSign
Data export
Many ways to send information to other origins<form action="http://www.bank.com/">
<input name="data" type="hidden" value="hello"></form>
<img src="http://www.b.com/?data=hello"/>
No user involvement requiredCannot read back response
Domain Relaxation
Origin: scheme, host, (port), hasSetDomainTry document.domain = document.domain
www.facebook.com
www.facebook.comwww.facebook.com chat.facebook.com
chat.facebook.com
facebook.comfacebook.com
Recent Developments
Cross-origin network requests
Access-Control-Allow-Origin: <list of domains>
Access-Control-Allow-Origin: *
Cross-origin client side communication
Client-side messaging via navigation (older browsers)
postMessage (newer browsers)
Site BSite A
Site A context Site B context
window.postMessage
New API for inter-frame communication Supported in latest betas of many
browsers
A network-like channel between framesAdd a contact
Share contacts
postMessage syntax
frames[0].postMessage("Attack at dawn!", "http://b.com/");
window.addEventListener("message", function (e) {
if (e.origin == "http://a.com") { ... e.data ... }}, false);
FacebookAnecdote
Attack at dawn!
24
Navigation
Who decides what content goes in a frame?
25
A Guninski Attack
awglogin
window.open("https://attacker.com/", "awglogin");
What should the policy be?
26
Child
Sibling
Descendant
Frame Bust
Browser Policy IE 6 (default) Permissive IE 6 (option) Child IE7 (no Flash) Descendant IE7 (with Flash) Permissive Firefox 2 Window Safari 3 Permissive Opera 9 Window HTML 5 Child
Legacy Browser Behavior
Window Policy Anomaly
top.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/...";
...
Browser Policy
IE7 (no Flash) Descendant
IE7 (with Flash) Descendant
Firefox 3 Descendant
Safari 3 Descendant
Opera 9 (many policies)
HTML 5 Descendant
Adoption of Descendant Policy
Why include “targetOrigin”?
What goes wrong?frames[0].postMessage("Attack at dawn!");
Messages sent to frames, not principals
When would this happen?
30
Conclusion
Same origin policy is flexible Address bar reflects the principal that's in control Content may be affected by other principals
Delegation Library import Domain relaxation Pixel delegation via frames
Communication Data export Opt-in messaging
Reading
Securing Browser Frame Communication. Adam Barth, Collin Jackson, and John C. Mitchell
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy