Securing frame communication in browsers-Reference-Cited by-同舟云学术

Securing frame communication in browsers

Published:2009-06 Issue:6 Volume:52 Page:83-91
ISSN:0001-0782
Container-title:Communications of the ACM
language:en
Short-container-title:Commun. ACM

Author:

Barth Adam¹,Jackson Collin²,Mitchell John C.²

Affiliation:

1. UC Berkeley

2. Stanford University

Abstract

Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious content. However, frames provide insufficient isolation in browsers that let framed content navigate other frames. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also affects communication between cooperating frames. We therefore analyze two techniques for interframe communication between isolated frames. The first method, fragment identifier messaging, initially provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, <code>postMessage</code>, initially provides authentication, but we discover an attack that breaches confidentiality. We propose improvements in the <code>postMessage</code> API to provide confidentiality; our proposal has been standardized and adopted in browser implementations.

Publisher

Association for Computing Machinery (ACM)

Subject

General Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/1516046.1516066

Reference22 articles.

1. Burke J. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html. Burke J. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html.

2. Crockford D. The <module> tag. http://www.json.org/module.html. Crockford D. The <module> tag. http://www.json.org/module.html.

3. Why phishing works

4. Eich B. JavaScript: Mobility and ubiquity. http://kathrin.dagstuhl.de/files/Materials/07/07091/07091EichBrendan.Slides.pdf. Eich B. JavaScript: Mobility and ubiquity. http://kathrin.dagstuhl.de/files/Materials/07/07091/07091EichBrendan.Slides.pdf.

Cited by 41 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Information Security Awareness Among Postgraduate Students;Advances in Library and Information Science;2022-10-14

2. Spy in Your Eye: Spycam Attack via Open-Sided Mobile VR Device;IEICE Transactions on Information and Systems;2022-10-01

3. SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward;2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P);2022-06

4. Web and Browser Security;Information Security and Cryptography;2021

5. PMForce: Systematically Analyzing postMessage Handlers at Scale;Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security;2020-10-30