USENIX 2001, Boston, Ma. Solaris Internals Solaris Internals
Browser Internals-Same Origin Policy
-
Upload
krishna-t -
Category
Technology
-
view
4.486 -
download
0
description
Transcript of Browser Internals-Same Origin Policy
![Page 1: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/1.jpg)
Krishna Chaitanya T
Infosys Labs
Microsoft MVP, Internet Explorer
Content Isolation with
Same Origin Policy
![Page 2: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/2.jpg)
You know this is possible… (why?)
![Page 3: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/3.jpg)
Why not this?
![Page 4: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/4.jpg)
Why?
![Page 5: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/5.jpg)
Why not?
![Page 6: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/6.jpg)
The big (small) picture
• WHO can access WHAT from WHERE, HOW and WHY? Any IFs and BUTs? ;)
Site A
Browsing context of
Site A
Site B
Browsing context of
Site B
![Page 7: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/7.jpg)
The questions…
• Can A get resources from B.com?
• Can A execute resources from B.com?
• Can A post content to B.com?
• Can A interfere with the DOM of B?
• Can A redirect a browsing context of B?
![Page 8: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/8.jpg)
More questions…
• Can A read cookies/localStorage of B?
• What about http/https protocols
• How about different port numbers?
• Can chat.A.com communicate with A.com?
• Can blog.com/user1 talk to blog.com/user2?
![Page 9: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/9.jpg)
Ok. Now enough of questions.
Let’s clear the confusion!
![Page 10: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/10.jpg)
Same Origin Policy (SOP)
• Browser has to isolate different origins
• Origin = scheme://host:port• https://mysite.com
• http://chat.mysite.com
• http://mysite.com:81/
• Privileges within origin• Full network access, storage, read/write access
to DOM
![Page 11: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/11.jpg)
SOP facts…
• Script requests are not subjected to SOP!
• Frames have separate security contexts for each origin.
• Frame Navigation Policy: Script in Frame A can navigate Frame B (This is not SOP!)
• Access to HTML5 LocalStorage, Cookies* is by SOP.
![Page 12: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/12.jpg)
SOP facts…
• Browsers do not prevent cross domain content inclusion!
• Examples:
<iframe src=“…”/><img src=“…”/><link rel=“stylesheet” href=“…”/>
• Information about user’s interaction can be collected using events onload, onerror etc.
![Page 13: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/13.jpg)
So how is cross origin communication feasible with Same Origin Policy in place?
HACKS / SOP bypass
![Page 14: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/14.jpg)
SOP Hacks
• JSONP – JSON with Padding
• Domain relaxation – document.domain
• Server side proxies
• JavaScript window.name hack
• Iframe hacks-Fragment Identifier Messaging (FIM), Subspace etc.
![Page 15: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/15.jpg)
Understanding JSONP
1. Create a JavaScript function (callback)
2. Pass valid JSON data & execute it
3. Move the code in step 2 to external JS file (Idea is to simulate server’s response). So far it’s good.
function processData(data){ console.log('Hello '+data.firstName+'
'+data.lastName); }
processData({firstName:'Krishna', lastName:'Chaitanya'});
![Page 16: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/16.jpg)
Understanding JSONP
4. Configure server side code to respond to the query string
5. Script loading is exempted from SOP, so the code so far still works.
6. Wrap JSON data with function name.
<script src=“http://mysite.com/index.aspx?callback=processData”/>
processData({firstName:'Krishna', lastName:'Chaitanya'});
![Page 17: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/17.jpg)
Domain relaxation
• Cooperating websites sharing common TLDs can relax their origins
• “a.site.com” & “site.com” - different origins
• Both parties should set document.domain
• Now sub domain enjoys same origin benefits!
document.domain=“site.com”
![Page 18: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/18.jpg)
Surprisingly, there wasn’t a standard for cross origin communication till recently. Only few
clever hacks.
Here comes HTML5!
![Page 19: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/19.jpg)
Genuine Cross Origin Access
• Client side - HTML5 PostMessage API
• Secure communication between frames
otherwindow.postMessage(message, targetOrigin);
//Posting message to a cross domain partner.frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");
//Retrieving message from the senderwindow.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data }};
![Page 20: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/20.jpg)
Genuine Cross Origin Access
• Server side – HTML5 CORS
• XHR enhanced for secure cross origin sharing
• Server just needs to send this new header:
More about these in future events
Access-Control-Allow-Origin: http://mysite.com (or) *
var xhr = new XMLHttpRequest();if ("withCredentials" in xhr) {
xhr.open("GET", "http://mysite.com", true);xhr.send();
} else {// Fallback behavior
}
![Page 21: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/21.jpg)
A better picture
Site A
Browsing context of
Site A
Site B
Browsing context of
Site B
AJAX
Cross Origin Resource Sharing (HTML5)
Server side proxy
PostMessage (HTML5)
![Page 22: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/22.jpg)
If (!sleepy && !confused){
GoTo slide 2;
print(“Answer all questions till slide 8 correctly”);
}
else {
GoTo slide 9;
print(“Repeat”);
}
Litmus Test ;)
![Page 23: Browser Internals-Same Origin Policy](https://reader036.fdocuments.us/reader036/viewer/2022062418/554f6dffb4c9058a148b50b1/html5/thumbnails/23.jpg)
Thank You!
Twitter: @novogeek
Blog: http://novogeek.com