SlideShare a Scribd company logo

Browser Internals-Same Origin Policy

Download as PPTX, PDF
Krishna T
Krishna T

Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.

Technology
1 of 23
Content Isolation with Same Origin Policy Krishna Chaitanya T Infosys Labs Microsoft MVP, Internet Explorer
You know this is possible… (why?)
Why not this?
Why?
Why not?
The big (small) picture • WHO can access WHAT from WHERE, HOW and WHY? Any IFs and BUTs? ;) Site A Site B Browsing Browsing context of context of Site A Site B
The questions… • Can A get resources from B.com? • Can A execute resources from B.com? • Can A post content to B.com? • Can A interfere with the DOM of B? • Can A redirect a browsing context of B?
More questions… • Can A read cookies/localStorage of B? • What about http/https protocols • How about different port numbers? • Can chat.A.com communicate with A.com? • Can blog.com/user1 talk to blog.com/user2?
Ok. Now enough of questions. Let’s clear the confusion!
Same Origin Policy (SOP) • Browser has to isolate different origins • Origin = scheme://host:port • https://mysite.com • http://chat.mysite.com • http://mysite.com:81/ • Privileges within origin • Full network access, storage, read/write access to DOM
SOP facts… • Script requests are not subjected to SOP! • Frames have separate security contexts for each origin. • Frame Navigation Policy: Script in Frame A can navigate Frame B (This is not SOP!) • Access to HTML5 LocalStorage, Cookies* is by SOP.
SOP facts… • Browsers do not prevent cross domain content inclusion! • Examples: <iframe src=“…”/> <img src=“…”/> <link rel=“stylesheet” href=“…”/> • Information about user’s interaction can be collected using events onload, onerror etc.
So how is cross origin communication feasible with Same Origin Policy in place? HACKS / SOP bypass
SOP Hacks • JSONP – JSON with Padding • Domain relaxation – document.domain • Server side proxies • JavaScript window.name hack • Iframe hacks-Fragment Identifier Messaging (FIM), Subspace etc.
Understanding JSONP 1. Create a JavaScript function (callback) function processData(data){ console.log('Hello '+data.firstName+' '+data.lastName); } 2. Pass valid JSON data & execute it processData({firstName:'Krishna', lastName:'Chaitanya'}); 3. Move the code in step 2 to external JS file (Idea is to simulate server’s response). So far it’s good.
Understanding JSONP 4. Configure server side code to respond to the query string <script src=“http://mysite.com/index.aspx?callback=processData”/> 5. Script loading is exempted from SOP, so the code so far still works. 6. Wrap JSON data with function name. processData({firstName:'Krishna', lastName:'Chaitanya'});
Domain relaxation • Cooperating websites sharing common TLDs can relax their origins • “a.site.com” & “site.com” - different origins • Both parties should set document.domain document.domain=“site.com” • Now sub domain enjoys same origin benefits!
Surprisingly, there wasn’t a standard for cross origin communication till recently. Only few clever hacks. Here comes HTML5!
Genuine Cross Origin Access • Client side - HTML5 PostMessage API • Secure communication between frames otherwindow.postMessage(message, targetOrigin); //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data } };
Genuine Cross Origin Access • Server side – HTML5 CORS • XHR enhanced for secure cross origin sharing var xhr = new XMLHttpRequest(); if ("withCredentials" in xhr) { xhr.open("GET", "http://mysite.com", true); xhr.send(); } else { // Fallback behavior } • Server just needs to send this new header: Access-Control-Allow-Origin: http://mysite.com (or) * More about these in future events 
A better picture Site A Site B Browsing Browsing context of context of Site A Site B AJAX PostMessage (HTML5) Cross Origin Resource Sharing (HTML5) Server side proxy
Litmus Test ;) If (!sleepy && !confused){ GoTo slide 2; print(“Answer all questions till slide 8 correctly”); } else { GoTo slide 9; print(“Repeat”); }
Thank You! Twitter: @novogeek Blog: http://novogeek.com

Recommended

Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
InMobi Technology
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 

Recommended

Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
InMobi Technology
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
Marco Balduzzi
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
Prakashchand Suthar
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
amiable_indian
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Arjun Jain
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 

More Related Content

What's hot

New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
Marco Balduzzi
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 

What's hot (20)

Browser Security
Browser SecurityBrowser Security
Browser Security
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Click jacking
Click jackingClick jacking
Click jacking
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
XSS
XSSXSS
XSS
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 

Similar to Browser Internals-Same Origin Policy

Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
Asynchronous Web Programming with HTML5 WebSockets and Java
Asynchronous Web Programming with HTML5 WebSockets and JavaAsynchronous Web Programming with HTML5 WebSockets and Java
Asynchronous Web Programming with HTML5 WebSockets and Java
James Falkner
 

Similar to Browser Internals-Same Origin Policy (20)

Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About ConnectAtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud Developers
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Websocket vs SSE - Paris.js - 24/06/15
Websocket vs SSE - Paris.js - 24/06/15Websocket vs SSE - Paris.js - 24/06/15
Websocket vs SSE - Paris.js - 24/06/15
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
HTML5: An Overview
HTML5: An OverviewHTML5: An Overview
HTML5: An Overview
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
Message in a Bottle
Message in a BottleMessage in a Bottle
Message in a Bottle
 
Nodejs and WebSockets
Nodejs and WebSocketsNodejs and WebSockets
Nodejs and WebSockets
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Asynchronous Web Programming with HTML5 WebSockets and Java
Asynchronous Web Programming with HTML5 WebSockets and JavaAsynchronous Web Programming with HTML5 WebSockets and Java
Asynchronous Web Programming with HTML5 WebSockets and Java
 
Browser security
Browser securityBrowser security
Browser security
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Browser Internals-Same Origin Policy

  • 1. Content Isolation with Same Origin Policy Krishna Chaitanya T Infosys Labs Microsoft MVP, Internet Explorer
  • 2. You know this is possible… (why?)
  • 6. The big (small) picture • WHO can access WHAT from WHERE, HOW and WHY? Any IFs and BUTs? ;) Site A Site B Browsing Browsing context of context of Site A Site B
  • 7. The questions… • Can A get resources from B.com? • Can A execute resources from B.com? • Can A post content to B.com? • Can A interfere with the DOM of B? • Can A redirect a browsing context of B?
  • 8. More questions… • Can A read cookies/localStorage of B? • What about http/https protocols • How about different port numbers? • Can chat.A.com communicate with A.com? • Can blog.com/user1 talk to blog.com/user2?
  • 9. Ok. Now enough of questions. Let’s clear the confusion!
  • 10. Same Origin Policy (SOP) • Browser has to isolate different origins • Origin = scheme://host:port • https://mysite.com • http://chat.mysite.com • http://mysite.com:81/ • Privileges within origin • Full network access, storage, read/write access to DOM
  • 11. SOP facts… • Script requests are not subjected to SOP! • Frames have separate security contexts for each origin. • Frame Navigation Policy: Script in Frame A can navigate Frame B (This is not SOP!) • Access to HTML5 LocalStorage, Cookies* is by SOP.
  • 12. SOP facts… • Browsers do not prevent cross domain content inclusion! • Examples: <iframe src=“…”/> <img src=“…”/> <link rel=“stylesheet” href=“…”/> • Information about user’s interaction can be collected using events onload, onerror etc.
  • 13. So how is cross origin communication feasible with Same Origin Policy in place? HACKS / SOP bypass
  • 14. SOP Hacks • JSONP – JSON with Padding • Domain relaxation – document.domain • Server side proxies • JavaScript window.name hack • Iframe hacks-Fragment Identifier Messaging (FIM), Subspace etc.
  • 15. Understanding JSONP 1. Create a JavaScript function (callback) function processData(data){ console.log('Hello '+data.firstName+' '+data.lastName); } 2. Pass valid JSON data & execute it processData({firstName:'Krishna', lastName:'Chaitanya'}); 3. Move the code in step 2 to external JS file (Idea is to simulate server’s response). So far it’s good.
  • 16. Understanding JSONP 4. Configure server side code to respond to the query string <script src=“http://mysite.com/index.aspx?callback=processData”/> 5. Script loading is exempted from SOP, so the code so far still works. 6. Wrap JSON data with function name. processData({firstName:'Krishna', lastName:'Chaitanya'});
  • 17. Domain relaxation • Cooperating websites sharing common TLDs can relax their origins • “a.site.com” & “site.com” - different origins • Both parties should set document.domain document.domain=“site.com” • Now sub domain enjoys same origin benefits!
  • 18. Surprisingly, there wasn’t a standard for cross origin communication till recently. Only few clever hacks. Here comes HTML5!
  • 19. Genuine Cross Origin Access • Client side - HTML5 PostMessage API • Secure communication between frames otherwindow.postMessage(message, targetOrigin); //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data } };
  • 20. Genuine Cross Origin Access • Server side – HTML5 CORS • XHR enhanced for secure cross origin sharing var xhr = new XMLHttpRequest(); if ("withCredentials" in xhr) { xhr.open("GET", "http://mysite.com", true); xhr.send(); } else { // Fallback behavior } • Server just needs to send this new header: Access-Control-Allow-Origin: http://mysite.com (or) * More about these in future events 
  • 21. A better picture Site A Site B Browsing Browsing context of context of Site A Site B AJAX PostMessage (HTML5) Cross Origin Resource Sharing (HTML5) Server side proxy
  • 22. Litmus Test ;) If (!sleepy && !confused){ GoTo slide 2; print(“Answer all questions till slide 8 correctly”); } else { GoTo slide 9; print(“Repeat”); }
  • 23. Thank You! Twitter: @novogeek Blog: http://novogeek.com