Basic web security model - Stanford Crypto Group

More documents

Recommendations

Info

Setting/deleting cookies by server Browser if expires=NULL: this session only GET … HTTP Header: Set-cookie: NAME=VALUE ; • Delete cookie by setting “expires” to date in past • Default scope is domain and path of setting URL Server domain = (when to send) ; path = (when to send) secure = (only send over SSL); expires = (when expires) ; HttpOnly (later) scope
Scope setting rules (write SOP) domain: any domain-suffix of URL-hostname, except TLD example: host = “login.site.com” allowed domains login.site.com .site.com ⇒ login.site.com can set cookies for all of .site.com but not for another site or TLD Problematic for sites like .stanford.edu path: can be set to anything disallowed domains user.site.com othersite.com .com
Page 1 and 2: Basic web security model Elie Bursz
Page 3 and 4: Web security: two sides Web browser
Page 5 and 6: Outline Web Refresher: Security Use
Page 7 and 8: HTTP protocol HTTP is widely used
Page 9 and 10: HTTP Request Method File HTTP versi
Page 11 and 12: Security User Interface When is it
Page 15 and 16: Safe to type your password? 15
Page 17 and 18: Safe to type your password? 17
Page 21 and 22: Components of browser security poli
Page 23 and 24: Windows Interact 23
Page 25 and 26: Frames Modularity Brings together
Page 27 and 28: Masups: lots of frames (gadgets) 27
Page 29 and 30: Window Policy Anomaly top.frames[1]
Page 31 and 32: What should the policy be? Child Si
Page 33 and 34: Adoption of Descendant Policy Brows
Page 35 and 36: 35 Pages can embed content from man
Page 37 and 38: Mashups
Page 39 and 40: Recent Developments Cross-origin ne
Page 41 and 42: postMessage syntax frames[0].postMe
Page 43 and 44: Data export Many ways to send infor
Page 45 and 46: Sending a Cross-Domain GET Data mus
Page 47 and 48: Cookie Security How to make HTTP st
Page 49: Same origin policy: “high level
Page 53 and 54: Reading cookies on server (read SOP
Page 55 and 56: Client side read/write: document.co
Page 57 and 58: Viewing/deleting cookies in Browser
Page 59 and 60: Interaction with the DOM SOP Cookie
Page 61 and 62: Browser security design How to buil
Page 63 and 64: Approach Fact: Browsers will always
Page 65 and 66: Frequency of interactions with atta
Page 67 and 68: World of Warcraft keylogger Flash P
Page 69 and 70: Now do it in the browser
Page 71 and 72: Introductions are easy Impressions
Page 73 and 74: Closing the vulnerability window Di
Page 75 and 76: Getting better, but not fast enough
Page 77 and 78: Severity "Medium" Universal XSS "Hi
Page 79 and 80: IE7 Containment Goals Arbitrary cod
Page 81 and 82: Chromium Security Architecture Brow
Page 83 and 84: Task Allocation
Page 85 and 86: Another approach: Cookie Blocking B

Basic web security model - Stanford Crypto Group

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?