Security: Isolation

Lecture Notes for CS 142
Winter 2014
John Ousterhout

Additional reading for this topic: none.
The isolation problem:
- Web content comes from many sources, not all equally trusted.
- Trusted and untrusted content are in close proximity (frames, tabs, sequential visits).
- Must separate various forms of content so that untrusted content cannot corrupt/misuse trusted content.
Example: a "good" page displays a sponsored ad:
- Attackers can buy advertisements, use them to attack good pages.
- Advertiser gets to supply content for ad (e.g. "good" page links to advertiser site in <iframe>)
- Ad can contain <script> elements that access DOM, submit forms, etc.
```
parent.frames[0].forms[0].submit;
```

Same-Origin Policy

General idea: separate content with different trust levels into different frames, restrict communication between frames.
One frame can access content in another frame only if they both came from the same origin. Origin =
- Protocol
- Domain name
- Port (in some browsers).
All modern browsers implement the same-origin policy.
Same-origin applies to AJAX requests also.
Where same-origin doesn't apply:
- <script> tags: Javascript executes with full privileges of the enclosing frame.
By itself, the same-origin policy is too restrictive: there are times when it is useful for frames with different origins to communicate in various ways.
New HTML5 feature: Access-Control-Allow-Origin header in HTTP responses:
- Specifies one or more domains that may access this object's DOM.
- Can use "*" to allow universal access.

HTML5 postMessage mechanism:

Sender (from domain a.com):

frames[0].postMessage("Hello world", "http://b.com/");

Receiver (domain b.com) can check origin:

window.addEventListener("message", doEvent);
function doEvent(e) {
  if (e.origin == "http://a.com") {
    ... e.data ... }
  }
}

Cookies can be read and written from Javascript:

alert(document.cookie);
document.cookie = "name=value; expires=1/1/2011"