Basic web security model - Stanford Crypto Group

More documents

Recommendations

Info

Cross-origin Interaction Sites often need to communicate: Google AdSense: Mashups Gadget aggregators (e.g. iGoogle or live.com) Primary method: script inclusion; site A does: • Script from B runs in A’s origin: full control over A’s DOM • Note: to communicate with B, site A gives B full control !!
Mashups
Page 1 and 2: Basic web security model Elie Bursz
Page 3 and 4: Web security: two sides Web browser
Page 5 and 6: Outline Web Refresher: Security Use
Page 7 and 8: HTTP protocol HTTP is widely used
Page 9 and 10: HTTP Request Method File HTTP versi
Page 11 and 12: Security User Interface When is it
Page 15 and 16: Safe to type your password? 15
Page 17 and 18: Safe to type your password? 17
Page 21 and 22: Components of browser security poli
Page 23 and 24: Windows Interact 23
Page 25 and 26: Frames Modularity Brings together
Page 27 and 28: Masups: lots of frames (gadgets) 27
Page 29 and 30: Window Policy Anomaly top.frames[1]
Page 31 and 32: What should the policy be? Child Si
Page 33 and 34: Adoption of Descendant Policy Brows
Page 35: 35 Pages can embed content from man
Page 39 and 40: Recent Developments Cross-origin ne
Page 41 and 42: postMessage syntax frames[0].postMe
Page 43 and 44: Data export Many ways to send infor
Page 45 and 46: Sending a Cross-Domain GET Data mus
Page 47 and 48: Cookie Security How to make HTTP st
Page 49 and 50: Same origin policy: “high level
Page 51 and 52: Scope setting rules (write SOP) dom
Page 53 and 54: Reading cookies on server (read SOP
Page 55 and 56: Client side read/write: document.co
Page 57 and 58: Viewing/deleting cookies in Browser
Page 59 and 60: Interaction with the DOM SOP Cookie
Page 61 and 62: Browser security design How to buil
Page 63 and 64: Approach Fact: Browsers will always
Page 65 and 66: Frequency of interactions with atta
Page 67 and 68: World of Warcraft keylogger Flash P
Page 69 and 70: Now do it in the browser
Page 71 and 72: Introductions are easy Impressions
Page 73 and 74: Closing the vulnerability window Di
Page 75 and 76: Getting better, but not fast enough
Page 77 and 78: Severity "Medium" Universal XSS "Hi
Page 79 and 80: IE7 Containment Goals Arbitrary cod
Page 81 and 82: Chromium Security Architecture Brow
Page 83 and 84: Task Allocation
Page 85 and 86: Another approach: Cookie Blocking B

Basic web security model - Stanford Crypto Group

Create successful ePaper yourself

Delete template?

Save as template?