SlideShare ist ein Scribd-Unternehmen logo

Scott Isaacs Presentationajaxexperience (Final)

Als PPTX, PDF herunterladen
Ajax Experience 2009
Ajax Experience 2009
TechnologieBusiness
1 von 15
Beyond IFrames:Web Sandboxes Scott Isaacs Software Architect Microsoft
How Web Sites are Built Today Google Friend Connect Youtube The Web normally has a Same Origin Policy – but in practice, “your script works in my origin” All JavaScript code in the page, regardless of origin, has the same trust level and permissions If one bit of code fails or is compromised, the entire page/app/site can be compromised Quick Demo… Youtube Google News Error from Amazon
Circles of (Dis)Trust Shared Frameworks Affiliates Images Gadgets Maps You Tube Your Code Social Networks Analytics Search Content Display Ads Images
User’s Expectations ≠ Reality Mismatch between browser security and expectations O/S boundaries protected Cross-domain content protected Composite pages have a single policy Aggregation (mash-ups) not protected You need a composite policy for a composite page Let’s secure the cookie…
The growing risk… Differentiation between Cloud and Local Services is blurring… User Data being aggregated… Personal Data (both local and cloud-based) Storage, Photos, E-Mail, Social Network/ Contacts, IM Devices Phones, GPS, Camera, etc. …and exposed to… Site Services Rich Advertising, Analytics, Maps, Affiliate Programs Site Extensibility Gadgets, Libraries, etc.
What about IFrames? Still exploitable… Run-away code… Navigation… Click-Jacking… And not rich enough… Designed for content embedding Established fixed “policies” Won’t work for display integration (e.g., fly outs) Fails for tight integration w/ API’s, CSS Isolation model, not a Security Architecture
Web Sandbox Isolate and secure the boundaries via composite host-defined policies Builds on existing knowledge Embrace existing programming patterns Provides browser equalization Open Source Project (Apache License)
QoS - Going beyond security Profiles executing code Error tracking and recovery Code Throttling LifeCycle management QoS Demo…
Your Web Page Creating Secure Containers Policy and Rules Policy and Rules Policy and Rules Web Sandbox Virtual Machine Web Sandbox Virtual Machine Web Sandbox Virtual Machine Untrusted Script Untrusted Script Untrusted Script
Web Sandbox: The Big Picture Trusted Host(e.g., Your Site) Requests Content(untrusted) SandboxVirtual Machine(JavaScript Library) Sandboxed Execution Sandboxed Execution TransformationPipeline (Server or Client-based) Untrusted Content Virtualize Code
Transformation Process Request Resource Parse Resource Output JavaScript for execution within the Sandbox VM Let’s take a look….
Sandbox Virtual Machine Validates execution against policies Supports instancing and lifecycle Monitors QoS via profiling & throttling Protects external communication
Policies Contextually-aware API “tables” Allow/Deny/Augment rules Cascading model Default “Gadget” Policy Supports JavaScript/ W3C DOM Provides Namespace isolation Demo…
Trusted/ Untrusted boundaries Custom Policies to Surface Host APIs Demo… Mutually distrusted components sharing single “Trusted” Map
Simple Integration… <script src="sandbox2.js"></script> <div id="box"></div> <script src="transform.ashx?type=script&guid=GadgetGUID&ua=IE8&url=http://siteexperts.com/untrusted.js"></script> <script>var instance = new $Sandbox(document.getElementById("box"), $Policy.Gadget, 'GadgetGUID');instance.initialize(); </script>

Empfohlen

Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Nelsan Ellis
 
Securing your WordPress powered Website
Securing your WordPress powered WebsiteSecuring your WordPress powered Website
Securing your WordPress powered Website
Pratik Jagdishwala
 
Unobtrusive javascript
Unobtrusive javascriptUnobtrusive javascript
Unobtrusive javascript
Lee Jordan
 
Flash Security
Flash SecurityFlash Security
Flash Security
Ferruh Mavituna
 
Taming 3rd party content
Taming 3rd party contentTaming 3rd party content
Taming 3rd party content
SergeyChernyshev
 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
Brett Gravois
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
 

Empfohlen

Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Nelsan Ellis
 
Securing your WordPress powered Website
Securing your WordPress powered WebsiteSecuring your WordPress powered Website
Securing your WordPress powered Website
Pratik Jagdishwala
 
Unobtrusive javascript
Unobtrusive javascriptUnobtrusive javascript
Unobtrusive javascript
Lee Jordan
 
Flash Security
Flash SecurityFlash Security
Flash Security
Ferruh Mavituna
 
Taming 3rd party content
Taming 3rd party contentTaming 3rd party content
Taming 3rd party content
SergeyChernyshev
 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
Brett Gravois
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
 
Speed & Uptime with Wordpress
Speed & Uptime with WordpressSpeed & Uptime with Wordpress
Speed & Uptime with Wordpress
toddhdow
 
Konsultan SEO Malang - Jasa SEO Malang - 081333555017
Konsultan SEO Malang - Jasa SEO Malang - 081333555017Konsultan SEO Malang - Jasa SEO Malang - 081333555017
Konsultan SEO Malang - Jasa SEO Malang - 081333555017
'Agus DistroBlogger
 
Web 2.0 & Ajax Basics
Web 2.0 & Ajax BasicsWeb 2.0 & Ajax Basics
Web 2.0 & Ajax Basics
Abhishek Nagar
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?
Nigel Harding
 
Treegr
TreegrTreegr
Treegr
Vinh Khoa Nguyen
 
WordPress, Actually
WordPress, ActuallyWordPress, Actually
WordPress, Actually
Gal Baras
 
WordPress and the GDPR
WordPress and the GDPRWordPress and the GDPR
WordPress and the GDPR
Arjan Olsder
 
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - HendisonWebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
Search Commander, Inc.
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Front End Oprtimization
Front End OprtimizationFront End Oprtimization
Front End Oprtimization
Folio3 Software
 
Dealing With Large Data In Ajax
Dealing With Large Data In AjaxDealing With Large Data In Ajax
Dealing With Large Data In Ajax
webtel125
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
Imperva Incapsula
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Html5 over view
Html5 over viewHtml5 over view
Html5 over view
mnasir79
 
Security 101
Security 101Security 101
Security 101
Red Gate Software
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
James Crowley
 
Moto 360
Moto 360Moto 360
Moto 360
Jocelyn Morera Boza
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
Antonio Fontes
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
Sajjad "JJ" Arshad
 
To be present1 eso
To be present1 esoTo be present1 eso
To be present1 eso
IES - Junta de Andalucia
 
Tom Ferry Presentation
Tom Ferry PresentationTom Ferry Presentation
Tom Ferry Presentation
Jim Marks
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dealing With Large Data In Ajax
Dealing With Large Data In AjaxDealing With Large Data In Ajax
Dealing With Large Data In Ajax
webtel125
 
Html5 over view
Html5 over viewHtml5 over view
Html5 over view
mnasir79
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
Antonio Fontes
 

Was ist angesagt? (20)

Speed & Uptime with Wordpress
Speed & Uptime with WordpressSpeed & Uptime with Wordpress
Speed & Uptime with Wordpress
 
Konsultan SEO Malang - Jasa SEO Malang - 081333555017
Konsultan SEO Malang - Jasa SEO Malang - 081333555017Konsultan SEO Malang - Jasa SEO Malang - 081333555017
Konsultan SEO Malang - Jasa SEO Malang - 081333555017
 
Web 2.0 & Ajax Basics
Web 2.0 & Ajax BasicsWeb 2.0 & Ajax Basics
Web 2.0 & Ajax Basics
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?
 
Treegr
TreegrTreegr
Treegr
 
WordPress, Actually
WordPress, ActuallyWordPress, Actually
WordPress, Actually
 
WordPress and the GDPR
WordPress and the GDPRWordPress and the GDPR
WordPress and the GDPR
 
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - HendisonWebHosting Performance / WordPress - Pubcon Vegas - Hendison
WebHosting Performance / WordPress - Pubcon Vegas - Hendison
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Front End Oprtimization
Front End OprtimizationFront End Oprtimization
Front End Oprtimization
 
Dealing With Large Data In Ajax
Dealing With Large Data In AjaxDealing With Large Data In Ajax
Dealing With Large Data In Ajax
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Html5 over view
Html5 over viewHtml5 over view
Html5 over view
 
Security 101
Security 101Security 101
Security 101
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
Moto 360
Moto 360Moto 360
Moto 360
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 

Andere mochten auch

Tom Ferry Presentation
Tom Ferry PresentationTom Ferry Presentation
Tom Ferry Presentation
Jim Marks
 
Ch 4 elements_compounds_and_mixtures
Ch 4 elements_compounds_and_mixturesCh 4 elements_compounds_and_mixtures
Ch 4 elements_compounds_and_mixtures
charsh
 
Unforgettable Javita Weight Loss Testimonials of 2013-2014
Unforgettable Javita Weight Loss Testimonials of 2013-2014Unforgettable Javita Weight Loss Testimonials of 2013-2014
Unforgettable Javita Weight Loss Testimonials of 2013-2014
Intello
 
Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...
Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...
Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...
RCSLLC
 
Patrick Lightbody Presentation Tae Slides
Patrick Lightbody Presentation Tae SlidesPatrick Lightbody Presentation Tae Slides
Patrick Lightbody Presentation Tae Slides
Ajax Experience 2009
 
Building eLearning Communities
Building eLearning CommunitiesBuilding eLearning Communities
Building eLearning Communities
DonnaOti
 
Earth And Moon Jeopardy Review
Earth And Moon Jeopardy ReviewEarth And Moon Jeopardy Review
Earth And Moon Jeopardy Review
charsh
 
Kcd226 Sistem Operasi Lecture05
Kcd226 Sistem Operasi Lecture05Kcd226 Sistem Operasi Lecture05
Kcd226 Sistem Operasi Lecture05
Cahyo Darujati
 

Andere mochten auch (20)

To be present1 eso
To be present1 esoTo be present1 eso
To be present1 eso
 
Tom Ferry Presentation
Tom Ferry PresentationTom Ferry Presentation
Tom Ferry Presentation
 
Fasting
FastingFasting
Fasting
 
Ch 4 elements_compounds_and_mixtures
Ch 4 elements_compounds_and_mixturesCh 4 elements_compounds_and_mixtures
Ch 4 elements_compounds_and_mixtures
 
Unforgettable Javita Weight Loss Testimonials of 2013-2014
Unforgettable Javita Weight Loss Testimonials of 2013-2014Unforgettable Javita Weight Loss Testimonials of 2013-2014
Unforgettable Javita Weight Loss Testimonials of 2013-2014
 
Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...
Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...
Upgrading Share Point Portal Server 2003 Customizations To Share Point Server...
 
Patrick Lightbody Presentation Tae Slides
Patrick Lightbody Presentation Tae SlidesPatrick Lightbody Presentation Tae Slides
Patrick Lightbody Presentation Tae Slides
 
Format makalah DDP MIPA
Format makalah DDP MIPA Format makalah DDP MIPA
Format makalah DDP MIPA
 
The future of remote teams: how to fine-tune virtual collaboration?
The future of remote teams: how to fine-tune virtual collaboration?The future of remote teams: how to fine-tune virtual collaboration?
The future of remote teams: how to fine-tune virtual collaboration?
 
lifePERX Benefit Brochure
lifePERX Benefit BrochurelifePERX Benefit Brochure
lifePERX Benefit Brochure
 
Red hook
Red hookRed hook
Red hook
 
1st Conditional
1st Conditional1st Conditional
1st Conditional
 
Building eLearning Communities
Building eLearning CommunitiesBuilding eLearning Communities
Building eLearning Communities
 
Earth And Moon Jeopardy Review
Earth And Moon Jeopardy ReviewEarth And Moon Jeopardy Review
Earth And Moon Jeopardy Review
 
Global warming
Global warmingGlobal warming
Global warming
 
La Futbolització PolíTica Del PaíS Valencià
La Futbolització PolíTica Del PaíS ValenciàLa Futbolització PolíTica Del PaíS Valencià
La Futbolització PolíTica Del PaíS Valencià
 
Products
ProductsProducts
Products
 
What I Learned About Linkedin
What I Learned About LinkedinWhat I Learned About Linkedin
What I Learned About Linkedin
 
Past References
Past ReferencesPast References
Past References
 
Kcd226 Sistem Operasi Lecture05
Kcd226 Sistem Operasi Lecture05Kcd226 Sistem Operasi Lecture05
Kcd226 Sistem Operasi Lecture05
 

Ähnlich wie Scott Isaacs Presentationajaxexperience (Final)

A Lap Around Internet Explorer 8
A Lap Around Internet Explorer 8A Lap Around Internet Explorer 8
A Lap Around Internet Explorer 8
rsnarayanan
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 

Ähnlich wie Scott Isaacs Presentationajaxexperience (Final) (20)

Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
WebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the FutureWebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the Future
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security Threats
 
A Lap Around Internet Explorer 8
A Lap Around Internet Explorer 8A Lap Around Internet Explorer 8
A Lap Around Internet Explorer 8
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
The Server Side of Responsive Web Design
The Server Side of Responsive Web DesignThe Server Side of Responsive Web Design
The Server Side of Responsive Web Design
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
 
Web assembly with PWA
Web assembly with PWA Web assembly with PWA
Web assembly with PWA
 
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFWebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
 
A Day Building Fast, Responsive, Extensible Single Page Applications
A Day Building Fast, Responsive, Extensible Single Page ApplicationsA Day Building Fast, Responsive, Extensible Single Page Applications
A Day Building Fast, Responsive, Extensible Single Page Applications
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Smart Browsers and HTML5 Web Apps for the Chrome Web Store
Smart Browsers and HTML5 Web Apps for the Chrome Web StoreSmart Browsers and HTML5 Web Apps for the Chrome Web Store
Smart Browsers and HTML5 Web Apps for the Chrome Web Store
 

Mehr von Ajax Experience 2009

Adam Peller Interoperable Ajax Tools And Mashups
Adam Peller Interoperable Ajax Tools And MashupsAdam Peller Interoperable Ajax Tools And Mashups
Adam Peller Interoperable Ajax Tools And Mashups
Ajax Experience 2009
 
Eric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing ConsiderationsEric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing Considerations
Ajax Experience 2009
 
Chanhao Jiang And David Wei Presentation Quickling Pagecache
Chanhao Jiang And David Wei Presentation Quickling PagecacheChanhao Jiang And David Wei Presentation Quickling Pagecache
Chanhao Jiang And David Wei Presentation Quickling Pagecache
Ajax Experience 2009
 
Jason.O Keefe.Genuitec.Presentation.Final
Jason.O Keefe.Genuitec.Presentation.FinalJason.O Keefe.Genuitec.Presentation.Final
Jason.O Keefe.Genuitec.Presentation.Final
Ajax Experience 2009
 
Colin Clark Accessible U Is With J Query And Infusion[1]
Colin Clark Accessible U Is With J Query And Infusion[1]Colin Clark Accessible U Is With J Query And Infusion[1]
Colin Clark Accessible U Is With J Query And Infusion[1]
Ajax Experience 2009
 
Sergey Ilinsky Presentation Ample Sdk
Sergey Ilinsky Presentation Ample SdkSergey Ilinsky Presentation Ample Sdk
Sergey Ilinsky Presentation Ample Sdk
Ajax Experience 2009
 
Chris Williams Presentation Dissident
Chris Williams Presentation DissidentChris Williams Presentation Dissident
Chris Williams Presentation Dissident
Ajax Experience 2009
 
Ted Husted Presentation Testing Ajax Applications Ae2009
Ted Husted Presentation Testing Ajax Applications Ae2009Ted Husted Presentation Testing Ajax Applications Ae2009
Ted Husted Presentation Testing Ajax Applications Ae2009
Ajax Experience 2009
 
Ted Husted Api Doc Smackdown Ae2009
Ted Husted Api Doc Smackdown Ae2009Ted Husted Api Doc Smackdown Ae2009
Ted Husted Api Doc Smackdown Ae2009
Ajax Experience 2009
 
Laurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus PresentationLaurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus Presentation
Ajax Experience 2009
 
Jon Trelfa Presentation From Desktop To Web – Getting It Right
Jon Trelfa Presentation From Desktop To Web – Getting It RightJon Trelfa Presentation From Desktop To Web – Getting It Right
Jon Trelfa Presentation From Desktop To Web – Getting It Right
Ajax Experience 2009
 
Douglas Crockford Presentation Goodparts
Douglas Crockford Presentation GoodpartsDouglas Crockford Presentation Goodparts
Douglas Crockford Presentation Goodparts
Ajax Experience 2009
 
Douglas Crockford Presentation Jsonsaga
Douglas Crockford Presentation JsonsagaDouglas Crockford Presentation Jsonsaga
Douglas Crockford Presentation Jsonsaga
Ajax Experience 2009
 
David Wei And Changhao Jiang Presentation
David Wei And Changhao Jiang PresentationDavid Wei And Changhao Jiang Presentation
David Wei And Changhao Jiang Presentation
Ajax Experience 2009
 
Brian Le Roux Presentation Introducing Phone Gap
Brian Le Roux Presentation Introducing Phone GapBrian Le Roux Presentation Introducing Phone Gap
Brian Le Roux Presentation Introducing Phone Gap
Ajax Experience 2009
 
Ted Husted Presentation Testing The Testers Ae2009
Ted Husted Presentation Testing The Testers Ae2009Ted Husted Presentation Testing The Testers Ae2009
Ted Husted Presentation Testing The Testers Ae2009
Ajax Experience 2009
 

Mehr von Ajax Experience 2009 (20)

Adam Peller Interoperable Ajax Tools And Mashups
Adam Peller Interoperable Ajax Tools And MashupsAdam Peller Interoperable Ajax Tools And Mashups
Adam Peller Interoperable Ajax Tools And Mashups
 
Eric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing ConsiderationsEric Beland Ajax Load Testing Considerations
Eric Beland Ajax Load Testing Considerations
 
Chanhao Jiang And David Wei Presentation Quickling Pagecache
Chanhao Jiang And David Wei Presentation Quickling PagecacheChanhao Jiang And David Wei Presentation Quickling Pagecache
Chanhao Jiang And David Wei Presentation Quickling Pagecache
 
Jason.O Keefe.Genuitec.Presentation.Final
Jason.O Keefe.Genuitec.Presentation.FinalJason.O Keefe.Genuitec.Presentation.Final
Jason.O Keefe.Genuitec.Presentation.Final
 
Jenny Donnelly
Jenny DonnellyJenny Donnelly
Jenny Donnelly
 
Colin Clark Accessible U Is With J Query And Infusion[1]
Colin Clark Accessible U Is With J Query And Infusion[1]Colin Clark Accessible U Is With J Query And Infusion[1]
Colin Clark Accessible U Is With J Query And Infusion[1]
 
Sergey Ilinsky Presentation Ample Sdk
Sergey Ilinsky Presentation Ample SdkSergey Ilinsky Presentation Ample Sdk
Sergey Ilinsky Presentation Ample Sdk
 
Chris Williams Presentation Dissident
Chris Williams Presentation DissidentChris Williams Presentation Dissident
Chris Williams Presentation Dissident
 
Andrew Sutherland Presentation
Andrew Sutherland PresentationAndrew Sutherland Presentation
Andrew Sutherland Presentation
 
Bill Scott Presentation
Bill Scott PresentationBill Scott Presentation
Bill Scott Presentation
 
Ted Husted Presentation Testing Ajax Applications Ae2009
Ted Husted Presentation Testing Ajax Applications Ae2009Ted Husted Presentation Testing Ajax Applications Ae2009
Ted Husted Presentation Testing Ajax Applications Ae2009
 
Ted Husted Api Doc Smackdown Ae2009
Ted Husted Api Doc Smackdown Ae2009Ted Husted Api Doc Smackdown Ae2009
Ted Husted Api Doc Smackdown Ae2009
 
Laurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus PresentationLaurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus Presentation
 
Jon Trelfa Presentation From Desktop To Web – Getting It Right
Jon Trelfa Presentation From Desktop To Web – Getting It RightJon Trelfa Presentation From Desktop To Web – Getting It Right
Jon Trelfa Presentation From Desktop To Web – Getting It Right
 
Joe Mc Cann Tae Aria Presentation
Joe Mc Cann Tae Aria PresentationJoe Mc Cann Tae Aria Presentation
Joe Mc Cann Tae Aria Presentation
 
Douglas Crockford Presentation Goodparts
Douglas Crockford Presentation GoodpartsDouglas Crockford Presentation Goodparts
Douglas Crockford Presentation Goodparts
 
Douglas Crockford Presentation Jsonsaga
Douglas Crockford Presentation JsonsagaDouglas Crockford Presentation Jsonsaga
Douglas Crockford Presentation Jsonsaga
 
David Wei And Changhao Jiang Presentation
David Wei And Changhao Jiang PresentationDavid Wei And Changhao Jiang Presentation
David Wei And Changhao Jiang Presentation
 
Brian Le Roux Presentation Introducing Phone Gap
Brian Le Roux Presentation Introducing Phone GapBrian Le Roux Presentation Introducing Phone Gap
Brian Le Roux Presentation Introducing Phone Gap
 
Ted Husted Presentation Testing The Testers Ae2009
Ted Husted Presentation Testing The Testers Ae2009Ted Husted Presentation Testing The Testers Ae2009
Ted Husted Presentation Testing The Testers Ae2009
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Scott Isaacs Presentationajaxexperience (Final)

  • 1. Beyond IFrames:Web Sandboxes Scott Isaacs Software Architect Microsoft
  • 2. How Web Sites are Built Today Google Friend Connect Youtube The Web normally has a Same Origin Policy – but in practice, “your script works in my origin” All JavaScript code in the page, regardless of origin, has the same trust level and permissions If one bit of code fails or is compromised, the entire page/app/site can be compromised Quick Demo… Youtube Google News Error from Amazon
  • 3. Circles of (Dis)Trust Shared Frameworks Affiliates Images Gadgets Maps You Tube Your Code Social Networks Analytics Search Content Display Ads Images
  • 4. User’s Expectations ≠ Reality Mismatch between browser security and expectations O/S boundaries protected Cross-domain content protected Composite pages have a single policy Aggregation (mash-ups) not protected You need a composite policy for a composite page Let’s secure the cookie…
  • 5. The growing risk… Differentiation between Cloud and Local Services is blurring… User Data being aggregated… Personal Data (both local and cloud-based) Storage, Photos, E-Mail, Social Network/ Contacts, IM Devices Phones, GPS, Camera, etc. …and exposed to… Site Services Rich Advertising, Analytics, Maps, Affiliate Programs Site Extensibility Gadgets, Libraries, etc.
  • 6. What about IFrames? Still exploitable… Run-away code… Navigation… Click-Jacking… And not rich enough… Designed for content embedding Established fixed “policies” Won’t work for display integration (e.g., fly outs) Fails for tight integration w/ API’s, CSS Isolation model, not a Security Architecture
  • 7. Web Sandbox Isolate and secure the boundaries via composite host-defined policies Builds on existing knowledge Embrace existing programming patterns Provides browser equalization Open Source Project (Apache License)
  • 8. QoS - Going beyond security Profiles executing code Error tracking and recovery Code Throttling LifeCycle management QoS Demo…
  • 9. Your Web Page Creating Secure Containers Policy and Rules Policy and Rules Policy and Rules Web Sandbox Virtual Machine Web Sandbox Virtual Machine Web Sandbox Virtual Machine Untrusted Script Untrusted Script Untrusted Script
  • 10. Web Sandbox: The Big Picture Trusted Host(e.g., Your Site) Requests Content(untrusted) SandboxVirtual Machine(JavaScript Library) Sandboxed Execution Sandboxed Execution TransformationPipeline (Server or Client-based) Untrusted Content Virtualize Code
  • 11. Transformation Process Request Resource Parse Resource Output JavaScript for execution within the Sandbox VM Let’s take a look….
  • 12. Sandbox Virtual Machine Validates execution against policies Supports instancing and lifecycle Monitors QoS via profiling & throttling Protects external communication
  • 13. Policies Contextually-aware API “tables” Allow/Deny/Augment rules Cascading model Default “Gadget” Policy Supports JavaScript/ W3C DOM Provides Namespace isolation Demo…
  • 14. Trusted/ Untrusted boundaries Custom Policies to Surface Host APIs Demo… Mutually distrusted components sharing single “Trusted” Map
  • 15. Simple Integration… <script src="sandbox2.js"></script> <div id="box"></div> <script src="transform.ashx?type=script&guid=GadgetGUID&ua=IE8&url=http://siteexperts.com/untrusted.js"></script> <script>var instance = new $Sandbox(document.getElementById("box"), $Policy.Gadget, 'GadgetGUID');instance.initialize(); </script>
  • 16. Closing Thoughts… Web Application ecosystem is evolving Applications getting richer via aggregation More valuable services and personal data are exposed The web security model must evolve Web-sandbox adds protection across the boundaries Sites can properly model and enforce the trust relationship Sites can protect themselves and their users Possible without redefining the web… Go play with it (http://websandbox.livelabs.com)
  • 17. Questions? Learn more at: http://websandbox.livelabs.com Also don’t miss the panelSecure Mashups: Getting to Safe Web Plug-insWednesday, 10:55am

Hinweis der Redaktion

  1. Users view versus reality… Start with your site and then expand… explaining the user’s view versus what is really happening
  2. Platforms - cloud data is avaluable – same attack vectors against the PC now exist in the cloud. Currently hacking around for sharing. data
  3. Quality of service demo, code throttling., etcUse TICKING CLOCK!
  4. Request untrusted contentTransform untrusted contentInterceptionProfilingQoS ProtectionWrap a sandbox around contentAssociate with PolicyBind to document node (optional)Execute…
  5. JSON-ize HTML/CSS, Inject interception, profiling, QoS hooks, and Lifecycle (factory) supportPerforms an A->B TransformationPerforms syntactic validationNo security at this point
  6. DO A DEMO OF A POLICY EXPLAINING DOCUMENT.BODYDo prototype overriding and namespace explanationaddEventListener…
  7. Some scenarios are so extreme, becoming a platform themselveLocal capabilities are being exposed, cloud Capabilities are increasing in valueBe aware of these challenges in your applications…