web same-origin-policy lab
DESCRIPTION
Web Same-Origin-Policy Lab. Zutao Zhu 11/06/2009. Outline. Background Setting SOP. Background. Document Object Model (DOM) Cookie XMLHttpRequest HTML LiveHTTPHeaders extension for Firefox. DOM. - PowerPoint PPT PresentationTRANSCRIPT
Web Same-Origin-Policy Lab
Zutao Zhu
11/06/2009
Outline
• Background
• Setting
• SOP
Background
• Document Object Model (DOM)
• Cookie
• XMLHttpRequest
• HTML
• LiveHTTPHeaders extension for Firefox
DOM
• The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. – from wiki
Cookie
• Cookies are placeholders for server-provided data in the web browser typically used to track sessions.
• Each cookie is a key-value pair such as "color=green" and may have some optional attributes.
• Web applications can create a cookie in the web browser using the set-cookie header in the HTTP response.
Cookie (cont.)
• After cookies are created, web browsers attach the cookies in all the subsequent requests to the web application.
• In a JavaScript program, All the cookies in the web application can be referenced using document.cookie object.
• In cookie-based session-management schemes, web applications store the session identifier in a cookie in the web browser.
Use Live HTTP Header (tools)
XMLHttpRequest
• XMLHttpRequest has an important role in the AJAX web development technique. – from wiki
• http://www.w3.org/TR/XMLHttpRequest/• <script>
xhr = new XMLHttpRequest();xhr.open(POST,"http://www.originalphpbb.com/posting.php",true);
xhr.send(null);
</script>
HTML
• http://www.w3schools.com/TAGS/tag_a.asp– frame– iframe– img– a
LiveHTTPHeaders
• Observe the post request
• Observe the response
• Observe the cookie
Setting
• about:config in address bar of Firefox
SOP
• Origin: <protocol, domain, port>– Protocol: http://, file://, ftp://, etc.– Domain: microsoft.com, google.com, etc.– Port: 80, 8080, 21, 3128, etc.
• The SOP identifies each web site using its origin, and creates a context for each origin.
• For each origin, the web browser creates a context and stores the resources of the web application from the origin in the context.
• JavaScript programs from one origin are not allowed to access resources from another origin.
Examples
• checks against the URL "http://www.example.com/dir/page.html". -- from wiki
Resources for SOP
• Cookie
• History
• URL
• Contents
• Etc.
URL
• When in URL bar, I input some cross domain web page, can you use “forward” and “backward”?
• Is the URL showing?
Tags do not honor SOP
• Find out by yourself!
Reference
• http://wikipedia.org/
• http://www.w3.org/TR/2008/WD-XMLHttpRequest2-20080930/
• http://getfirebug.com/