SlideShare ist ein Scribd-Unternehmen logo
1 von 15
Downloaden Sie, um offline zu lesen
The Same-Origin Saga
Brendan Eich
AppSec USA 2012
A long time ago in a
galaxy far, far away...
The Same-Origin Saga
Netscape 2
• 1995 platform push against looming MSFT threat
• Frames, framesets, plugins (first in Netscape 1.1)
• JavaScript, in ten days in May
•window.open(url, name, options)
•window.location, document.cookie
•link.click(), form.submit()
•javascript: (generated docs, bookmarklets)
•document.write(s) still tops for ad insertion
Origin
• Take the base URL of a loaded document
• Take the scheme://host:port prefix
• Label all code and data with origin
• Check “same origin” by string compare
• Originally, all file: URLs were same-origin!
• Fixed to use file pathname as origin
• Similarly for imap:, mailbox:, news:
Netscape 3
•<script src=”url”></script>
• Cross-site src URL allowed -- just like img
• Like #include in C, remote script code
given same origin as loading HTML
•document.domain for changing effective
origin to join a super-domain
Apply Murphy’s Law, Iterate
• Miserable XSS history elided...
mozilla
8
mozilla
No browser wins by taking overlarge risks
• Previous slide from Collin Jackson’s USENIX Security 2011 invited talk, titled
“Crossing the Chasm: Pitching Security Research to Mainstream Browser
Vendors” [slides]
• Features are not free
• Mozilla commissioned optional CPython integration work by Mark Hammond
• Used by only one embedder
• No CPython distribution for Windows or Mac OS X
• High sunk and recurring engineering costs
9
Hopeful Developments
• JS is almost OCap (Object Capability)
• Browsers use OCap under the hood
• ES5 and ES6 strengthen JS’s OCap nature
• Better Caja/SES efficiency
• “use strict” pseudo-pragma
• OWASP best practices, Origin header, etc.
help outside of JS attack vectors
Selective Interception
meta
base
object
VM territory (C++)
JavaScript territory
Self-hosted
host object
VM handler VM handler
proxy
handler
Example: Membranes
• Firefox security wrappers (anti-XSS, XUL, etc.)
• Google Caja: capability-secure subset
• Object-capability model: an object is powerless
unless given a reference to other objects
• References can be made revocable through a
membrane
Compartments (Isolated Heaps)
Cross-Compartment Mediation
• Cross-Origin Wrapper
Conclusions + Question
• Same-Origin Policy continues to evolve
• Better isolation, OCap membranes reduce
attack surface
• Can we break the web cooperatively?
• Label cross-site <script src=”url2”>
in document from url1 with subordinate
origin computed from both URLs?

Weitere ähnliche Inhalte

Was ist angesagt?

Front End Development Automation with Grunt
Front End Development Automation with GruntFront End Development Automation with Grunt
Front End Development Automation with GruntLadies Who Code
 
RedisConf18 - RedisUnique
RedisConf18 - RedisUniqueRedisConf18 - RedisUnique
RedisConf18 - RedisUniqueRedis Labs
 
Making Symfony Services async with RabbitMq (and more Symfony)
Making Symfony Services async with RabbitMq (and more Symfony)Making Symfony Services async with RabbitMq (and more Symfony)
Making Symfony Services async with RabbitMq (and more Symfony)Gaetano Giunta
 
Jslab rssh: JS as language platform
Jslab rssh:  JS as language platformJslab rssh:  JS as language platform
Jslab rssh: JS as language platformRuslan Shevchenko
 
Future-proof Development for Classic SharePoint
Future-proof Development for Classic SharePointFuture-proof Development for Classic SharePoint
Future-proof Development for Classic SharePointBob German
 
Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programmingbenvinegar
 
A crash course in scaling wordpress
A crash course inscaling wordpress A crash course inscaling wordpress
A crash course in scaling wordpress GovLoop
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
Breaking the eggshell: From .NET to Node.js
Breaking the eggshell: From .NET to Node.jsBreaking the eggshell: From .NET to Node.js
Breaking the eggshell: From .NET to Node.jsBarbara Fusinska
 
WP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealWP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealShawn Hooper
 
MJ Berends talk - Women & Non-Binary Focused Intro to AWS
 MJ Berends talk - Women & Non-Binary Focused Intro to AWS MJ Berends talk - Women & Non-Binary Focused Intro to AWS
MJ Berends talk - Women & Non-Binary Focused Intro to AWSAWS Chicago
 
Tampering with JavaScript
Tampering with JavaScriptTampering with JavaScript
Tampering with JavaScriptBoy Baukema
 
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started GuideTraining Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started GuideContinuent
 
TypeScript: Bringing Sanity to JavaScript
TypeScript: Bringing Sanity to JavaScriptTypeScript: Bringing Sanity to JavaScript
TypeScript: Bringing Sanity to JavaScriptDave Fancher
 

Was ist angesagt? (20)

MongoDB + Node.JS + EPAM ROAD
MongoDB + Node.JS + EPAM ROADMongoDB + Node.JS + EPAM ROAD
MongoDB + Node.JS + EPAM ROAD
 
Front End Development Automation with Grunt
Front End Development Automation with GruntFront End Development Automation with Grunt
Front End Development Automation with Grunt
 
RedisConf18 - RedisUnique
RedisConf18 - RedisUniqueRedisConf18 - RedisUnique
RedisConf18 - RedisUnique
 
Making Symfony Services async with RabbitMq (and more Symfony)
Making Symfony Services async with RabbitMq (and more Symfony)Making Symfony Services async with RabbitMq (and more Symfony)
Making Symfony Services async with RabbitMq (and more Symfony)
 
Introduction to CQ5
Introduction to CQ5Introduction to CQ5
Introduction to CQ5
 
Jslab rssh: JS as language platform
Jslab rssh:  JS as language platformJslab rssh:  JS as language platform
Jslab rssh: JS as language platform
 
Ansible API
Ansible APIAnsible API
Ansible API
 
Future-proof Development for Classic SharePoint
Future-proof Development for Classic SharePointFuture-proof Development for Classic SharePoint
Future-proof Development for Classic SharePoint
 
Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programming
 
Don't worry with bower
Don't worry with bowerDon't worry with bower
Don't worry with bower
 
A crash course in scaling wordpress
A crash course inscaling wordpress A crash course inscaling wordpress
A crash course in scaling wordpress
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
 
Breaking the eggshell: From .NET to Node.js
Breaking the eggshell: From .NET to Node.jsBreaking the eggshell: From .NET to Node.js
Breaking the eggshell: From .NET to Node.js
 
WP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealWP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp Montreal
 
MJ Berends talk - Women & Non-Binary Focused Intro to AWS
 MJ Berends talk - Women & Non-Binary Focused Intro to AWS MJ Berends talk - Women & Non-Binary Focused Intro to AWS
MJ Berends talk - Women & Non-Binary Focused Intro to AWS
 
Tampering with JavaScript
Tampering with JavaScriptTampering with JavaScript
Tampering with JavaScript
 
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started GuideTraining Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
 
Xna content pipeline
Xna content pipelineXna content pipeline
Xna content pipeline
 
TypeScript: Bringing Sanity to JavaScript
TypeScript: Bringing Sanity to JavaScriptTypeScript: Bringing Sanity to JavaScript
TypeScript: Bringing Sanity to JavaScript
 
Static website generator
Static website generatorStatic website generator
Static website generator
 

Andere mochten auch

Mozilla's NodeConf talk
Mozilla's NodeConf talkMozilla's NodeConf talk
Mozilla's NodeConf talkBrendan Eich
 
JS Responsibilities
JS ResponsibilitiesJS Responsibilities
JS ResponsibilitiesBrendan Eich
 
Mozilla Research Party Talk
Mozilla Research Party TalkMozilla Research Party Talk
Mozilla Research Party TalkBrendan Eich
 
Extensible Operators and Literals for JavaScript
Extensible Operators and Literals for JavaScriptExtensible Operators and Literals for JavaScript
Extensible Operators and Literals for JavaScriptBrendan Eich
 
Value Objects, Full Throttle (to be updated for spring TC39 meetings)
Value Objects, Full Throttle (to be updated for spring TC39 meetings)Value Objects, Full Throttle (to be updated for spring TC39 meetings)
Value Objects, Full Throttle (to be updated for spring TC39 meetings)Brendan Eich
 
Value objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progressValue objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progressBrendan Eich
 
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand VietnamHai Dongkixot
 
نقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوبنقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوبFarhad Zargari
 

Andere mochten auch (20)

Taysom seminar
Taysom seminarTaysom seminar
Taysom seminar
 
My dotJS Talk
My dotJS TalkMy dotJS Talk
My dotJS Talk
 
Capitol js
Capitol jsCapitol js
Capitol js
 
Paren free
Paren freeParen free
Paren free
 
Fluent15
Fluent15Fluent15
Fluent15
 
Fluent14
Fluent14Fluent14
Fluent14
 
Mozilla's NodeConf talk
Mozilla's NodeConf talkMozilla's NodeConf talk
Mozilla's NodeConf talk
 
JSLOL
JSLOLJSLOL
JSLOL
 
Web futures
Web futuresWeb futures
Web futures
 
JS Responsibilities
JS ResponsibilitiesJS Responsibilities
JS Responsibilities
 
dotJS 2015
dotJS 2015dotJS 2015
dotJS 2015
 
Mozilla Research Party Talk
Mozilla Research Party TalkMozilla Research Party Talk
Mozilla Research Party Talk
 
Extensible Operators and Literals for JavaScript
Extensible Operators and Literals for JavaScriptExtensible Operators and Literals for JavaScript
Extensible Operators and Literals for JavaScript
 
Value Objects, Full Throttle (to be updated for spring TC39 meetings)
Value Objects, Full Throttle (to be updated for spring TC39 meetings)Value Objects, Full Throttle (to be updated for spring TC39 meetings)
Value Objects, Full Throttle (to be updated for spring TC39 meetings)
 
Value objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progressValue objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progress
 
Splash
SplashSplash
Splash
 
Txjs talk
Txjs talkTxjs talk
Txjs talk
 
محاضرة2
محاضرة2محاضرة2
محاضرة2
 
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
 
نقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوبنقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوب
 

Ähnlich wie The Same-Origin Saga

On Docker and its use for LHC at CERN
On Docker and its use for LHC at CERNOn Docker and its use for LHC at CERN
On Docker and its use for LHC at CERNSebastien Goasguen
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...
EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...
EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...Rob Tweed
 
An Intro to Js & Node.js
An Intro to Js & Node.jsAn Intro to Js & Node.js
An Intro to Js & Node.jsPremchand Kumar
 
Intro JavaScript
Intro JavaScriptIntro JavaScript
Intro JavaScriptkoppenolski
 
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBWebinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBMongoDB
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
 
Java script nirvana in netbeans [con5679]
Java script nirvana in netbeans [con5679]Java script nirvana in netbeans [con5679]
Java script nirvana in netbeans [con5679]Ryan Cuprak
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
An introduction to Node.js
An introduction to Node.jsAn introduction to Node.js
An introduction to Node.jsKasey McCurdy
 
Apache Superset at Airbnb
Apache Superset at AirbnbApache Superset at Airbnb
Apache Superset at AirbnbBill Liu
 
SMACK Stack 1.1
SMACK Stack 1.1SMACK Stack 1.1
SMACK Stack 1.1Joe Stein
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0Itzik Kotler
 
Social Connections 2015 CrossWorlds and Domino
Social Connections 2015 CrossWorlds and DominoSocial Connections 2015 CrossWorlds and Domino
Social Connections 2015 CrossWorlds and DominoPaul Withers
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...mfrancis
 
Cloud Native Camel Riding
Cloud Native Camel RidingCloud Native Camel Riding
Cloud Native Camel RidingChristian Posta
 

Ähnlich wie The Same-Origin Saga (20)

On Docker and its use for LHC at CERN
On Docker and its use for LHC at CERNOn Docker and its use for LHC at CERN
On Docker and its use for LHC at CERN
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...
EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...
EWD 3 Training Course Part 1: How Node.js Integrates With Global Storage Data...
 
An Intro to Js & Node.js
An Intro to Js & Node.jsAn Intro to Js & Node.js
An Intro to Js & Node.js
 
Intro JavaScript
Intro JavaScriptIntro JavaScript
Intro JavaScript
 
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDBWebinar: Enabling Microservices with Containers, Orchestration, and MongoDB
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
 
Java script nirvana in netbeans [con5679]
Java script nirvana in netbeans [con5679]Java script nirvana in netbeans [con5679]
Java script nirvana in netbeans [con5679]
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
An introduction to Node.js
An introduction to Node.jsAn introduction to Node.js
An introduction to Node.js
 
Apache Superset at Airbnb
Apache Superset at AirbnbApache Superset at Airbnb
Apache Superset at Airbnb
 
SMACK Stack 1.1
SMACK Stack 1.1SMACK Stack 1.1
SMACK Stack 1.1
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 
Social Connections 2015 CrossWorlds and Domino
Social Connections 2015 CrossWorlds and DominoSocial Connections 2015 CrossWorlds and Domino
Social Connections 2015 CrossWorlds and Domino
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...
 
Cloud Native Camel Riding
Cloud Native Camel RidingCloud Native Camel Riding
Cloud Native Camel Riding
 

Kürzlich hochgeladen

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 

Kürzlich hochgeladen (20)

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 

The Same-Origin Saga

  • 1. The Same-Origin Saga Brendan Eich AppSec USA 2012
  • 2. A long time ago in a galaxy far, far away...
  • 4. Netscape 2 • 1995 platform push against looming MSFT threat • Frames, framesets, plugins (first in Netscape 1.1) • JavaScript, in ten days in May •window.open(url, name, options) •window.location, document.cookie •link.click(), form.submit() •javascript: (generated docs, bookmarklets) •document.write(s) still tops for ad insertion
  • 5. Origin • Take the base URL of a loaded document • Take the scheme://host:port prefix • Label all code and data with origin • Check “same origin” by string compare • Originally, all file: URLs were same-origin! • Fixed to use file pathname as origin • Similarly for imap:, mailbox:, news:
  • 6. Netscape 3 •<script src=”url”></script> • Cross-site src URL allowed -- just like img • Like #include in C, remote script code given same origin as loading HTML •document.domain for changing effective origin to join a super-domain
  • 7. Apply Murphy’s Law, Iterate • Miserable XSS history elided...
  • 9. mozilla No browser wins by taking overlarge risks • Previous slide from Collin Jackson’s USENIX Security 2011 invited talk, titled “Crossing the Chasm: Pitching Security Research to Mainstream Browser Vendors” [slides] • Features are not free • Mozilla commissioned optional CPython integration work by Mark Hammond • Used by only one embedder • No CPython distribution for Windows or Mac OS X • High sunk and recurring engineering costs 9
  • 10. Hopeful Developments • JS is almost OCap (Object Capability) • Browsers use OCap under the hood • ES5 and ES6 strengthen JS’s OCap nature • Better Caja/SES efficiency • “use strict” pseudo-pragma • OWASP best practices, Origin header, etc. help outside of JS attack vectors
  • 11. Selective Interception meta base object VM territory (C++) JavaScript territory Self-hosted host object VM handler VM handler proxy handler
  • 12. Example: Membranes • Firefox security wrappers (anti-XSS, XUL, etc.) • Google Caja: capability-secure subset • Object-capability model: an object is powerless unless given a reference to other objects • References can be made revocable through a membrane
  • 15. Conclusions + Question • Same-Origin Policy continues to evolve • Better isolation, OCap membranes reduce attack surface • Can we break the web cooperatively? • Label cross-site <script src=”url2”> in document from url1 with subordinate origin computed from both URLs?