The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications.
[1]
Helen J. Wang,et al.
Subspace: secure cross-domain communication for web mashups
,
2007,
WWW '07.
[2]
David A. Wagner,et al.
Dynamic pharming attacks and locked same-origin policies for web browsers
,
2007,
CCS '07.
[3]
Helen J. Wang,et al.
Protection and communication abstractions for web browsers in MashupOS
,
2007,
SOSP.
[4]
Michael Steiner,et al.
SMash: secure component model for cross-domain mashups on unmodified browsers
,
2008,
WWW.
[5]
Collin Jackson,et al.
Securing frame communication in browsers
,
2008,
CACM.
[6]
Charles Reis,et al.
Architectural Principles for Safe Web Programs
,
2007,
HotNets.
[7]
Dan Boneh,et al.
Protecting browsers from dns rebinding attacks
,
2007,
CCS '07.
[8]
Norman Hardy,et al.
The Confused Deputy: (or why capabilities might have been invented)
,
1988,
OPSR.