Article

Securing frame communication in browsers

Authors:

Collin Jackson,

John C. MitchellAuthors Info & Claims

SS'08: Proceedings of the 17th conference on Security symposium

Pages 17 - 30

Published: 28 July 2008 Publication History

Abstract

Many web sites embed third-party content in frames, relying on the browser's security policy to protect them from malicious content. Frames, however, are often insufficient isolation primitives because most browsers let framed content manipulate other frames through navigation. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also hinders communication between cooperating frames. We analyze two techniques for inter-frame communication. The first method, fragment identifier messaging, provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, postMessage, provides authentication, but we discover an attack that breaches confidentiality. We modify the postMessage API to provide confidentiality and see our modifications standardized and adopted in browser implementations.

References

[1]

Adam Barth et al. Adopt "descendant" frame navigation policy to prevent frame hijacking. https://bugzilla.mozilla.org/show_ bug.cgi?id=408052.

[2]

Adam Barth and Collin Jackson. Protecting browsers from frame hijacking attacks, December 2007. http://crypto.stanford.edu/ frames/.

[3]

James Burke. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot.com/2006/ 06/cross-domain-frame-communication -with.html.

[4]

Douglas Crockford. ADsafe: Making JavaScript safe for advertising. http://adsafe.org/.

[5]

Douglas Crockford. The module tag. http://www.json.org/module.html.

[6]

Neil Daswani, Micheal Stoppelman, et al. The anatomy of Clickbot.A. In Proc. HotBots, 2007.

Digital Library

[7]

Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In CHI '06: Proceedings of the SIGCHI conference on human factors in computing systems, 2006.

Digital Library

[8]

Brendan Eich. JavaScript: Mobility and ubiquity. http://kathrin.dagstuhl.de/ files/Materials/07/07091/07091. EichBrendan.Slides.pdf.

[9]

Facebook. Badges. http://www.facebook. com/help.php?page=4.

[10]

Facebook. Facebook Markup Language (FBML). http://wiki.developers.facebook. com/index.php/FBML.

[11]

Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, 1996.

[12]

Flickr API. http://flickr.com/services/api/.

[13]

Google. Caja: A source-to-source translator for securing JavaScript-based web content. http: //code.google.com/p/google-caja/.

[14]

Google. Google Maps API. http://code.google.com/apis/maps/.

[15]

iGoogle. http://www.google.com/ig.

[16]

Georgi Guninski. Frame spoofing using loading two frames. https://bugzilla.mozilla.org/show_ bug.cgi?id=13871.

[17]

Ian Hickson. Re: A potential slight security enhancement to postMessage, Februrary 2008. http://lists.whatwg.org/pipermail/ whatwg-whatwg.org/2008-February/ 013949.html.

[18]

Ian Hickson. Re: HTML5 frame navigation policy, April 2008. http://lists.whatwg. org/pipermail/whatwg-whatwg.org/ 2008-April/014597.html.

[19]

Ian Hickson et al. HTML 5 Working Draft. http://www.whatwg.org/specs/ web-apps/current-work/.

[20]

Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh. Protecting browsers from DNS rebinding attacks. In Proceedings of of the 14th ACM Conference on Computer and Communications Security (CCS), 2007.

Digital Library

[21]

Collin Jackson and Helen J. Wang. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007.

Digital Library

[22]

Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, and Sachiko Yoshihama. SMash: Secure cross-domain mashups on unmodified browsers. In Proceedings of the 17th International World Wide Web Conference (WWW), 2008.

Digital Library

[23]

Gavin Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of TACAS, volume 1055. Springer Verlag, 1996.

Digital Library

[24]

Henry Mason. No support for MessageEvent interface, 2007. https://bugs.webkit.org/ show_bug.cgi?id=14994.

[25]

Microsoft. postMessage method. http://msdn.microsoft.com/en-us/ library/cc197015(VS.85).aspx.

[26]

Microsoft. SECURITY attribute. http://msdn2.microsoft.com/en-us/ library/ms534622(VS.85).aspx.

[27]

Microsoft. Try the Windows Live Contacts control. http://dev.live.com/mashups/ trypresencecontrol/.

[28]

Microsoft. Windows Live. http://home.live.com/.

[29]

Roger M. Needham and Michael D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993-999, 1978.

Digital Library

[30]

National Institute of Standards and Technology. CVE-2007-5858, December 2007.

[31]

Charlie Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In 7th Symposium on Operating Systems Design and Implementation (OSDI), 2006.

Digital Library

[32]

Adam Roben et al. Change postMessage/MessageEvent to match HTML5 wrt. exposing origin vs. domain/uri. https://bugs. webkit.org/show_bug.cgi?id=17331.

[33]

David Ross, 2008. Personal communication.

[34]

J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/ security/components/same-origin. html.

[35]

Hallvord Steen, 2008. Personal communication.

[36]

Danny Thorpe. Secure cross-domain communication in the browser. The Architecture Journal, 12:14-18, July 2007. http://msdn2.microsoft.com/en-us/ library/bb735305.aspx.

[37]

Jeff Walden. Implement HTML5's cross-document messaging API (postMessage), 2007-2008. https://bugzilla.mozilla.org/ show_bug.cgi?id=387706.

[38]

Jeff Walden et al. Update postMessage and MessageEvent to reflect domain/uri being replaced by origin, optional origin argument. https://bugzilla.mozilla.org/show_ bug.cgi?id=417075.

[39]

Helen J. Wang, Xiaofeng Fan, Jon Howell, and Collin Jackson. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), 2007.

Digital Library

[40]

Yahoo! My Yahoo! http://my.yahoo.com/.

Cited By

Bernardo PVeronese LValle VCalzavara SSquarcina MAdão PMaffei MBalzarotti DXu W(2024)Web platform threatsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698943(757-774)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698943
Yang GHuang JGu GHeninger NTraynor P(2019)Iframes/popups are dangerous in mobile webviewProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361406(977-994)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361406
Lee JKim HPark JShin ISon SLie DMannan MBackes MWang X(2018)Pride and Prejudice in Progressive Web AppsProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243867(1731-1746)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243867
Show More Cited By

Index Terms

Securing frame communication in browsers

Recommendations

Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Securing frame communication in browsers
One Laptop Per Child: Vision vs. Reality

Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious content. However, frames provide insufficient isolation in browsers that let framed content navigate other frames. We evaluate ...
Protection and communication abstractions for web browsers in MashupOS
SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles

Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SS'08: Proceedings of the 17th conference on Security symposium

July 2008

410 pages

Program Chair:
Paul Van Oorschot
Carleton University

Publisher

USENIX Association

United States

Publication History

Published: 28 July 2008

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bernardo PVeronese LValle VCalzavara SSquarcina MAdão PMaffei MBalzarotti DXu W(2024)Web platform threatsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698943(757-774)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698943
Yang GHuang JGu GHeninger NTraynor P(2019)Iframes/popups are dangerous in mobile webviewProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361406(977-994)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361406
Lee JKim HPark JShin ISon SLie DMannan MBackes MWang X(2018)Pride and Prejudice in Progressive Web AppsProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243867(1731-1746)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243867
Felsch DMainka CMladenov VSchwenk JKarri RSinanoglu OSadeghi AYi X(2017)SECRETProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052982(835-848)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052982
Guan CSun KWang ZZhu WChen XWang XHuang X(2016)Privacy Breach by Exploiting postMessage in HTML5Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897901(629-640)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897901
Van Acker SHausknecht DSabelfeld AChen XWang XHuang X(2016)Data Exfiltration in the Face of CSPProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897899(853-864)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897899
Hothersall-Thomas CMaffeis SNovakovic CYoung MXie T(2015)BrowserAudit: automated testing of browser security featuresProceedings of the 2015 International Symposium on Software Testing and Analysis10.1145/2771783.2771789(37-47)Online publication date: 13-Jul-2015
https://dl.acm.org/doi/10.1145/2771783.2771789
Georgiev MJana SShmatikov VGangemi ALeonardi SPanconesi A(2015)Rethinking Security of Web-Based System ApplicationsProceedings of the 24th International Conference on World Wide Web10.1145/2736277.2741663(366-376)Online publication date: 18-May-2015
https://dl.acm.org/doi/10.1145/2736277.2741663
De Groef WDevriese DNikiforakis NPiessens F(2014)Secure multi-execution of web scriptsJournal of Computer Security10.5555/2699784.269978622:4(469-509)Online publication date: 1-Jul-2014
https://dl.acm.org/doi/10.5555/2699784.2699786
Popa RStark EHelfer JValdez SZeldovich NKaashoek MBalakrishnan HMahajan RStoica I(2014)Building web applications on top of encrypted data using MylarProceedings of the 11th USENIX Conference on Networked Systems Design and Implementation10.5555/2616448.2616464(157-172)Online publication date: 2-Apr-2014
https://dl.acm.org/doi/10.5555/2616448.2616464
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten