Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar
Sharing Information in the Cloud How will we share information between apps? Web interface dominant Need for robust cross-domain mechanisms Many advantages Less control Less flexibility
Server AServer B Cross-Domain XHRpostMessageContent Security Policy Origin A In Browser Origin B In Browser Same Origin Policy Evolved Security Mechanisms Server AServer B Same Origin Policy Cross-Domain XHRpostMessageContent Security Policy Origin A In Browser Origin B In Browser These features are not enough Workarounds will emerge
The Chrome Approach Chrome merges “apps” and “extensions” – Web apps can be installed from a web store Users grant apps privileges at install time – Domain level granularity – Cookies, script injection & cross-domain requests
Fundamental Modifications – Designs app/extension, writes manifest – Chooses to install app, approves manifest – Unable to participate Site designer should help mediate access – Best understanding of data – Best incentive to protect data Leverage real-world meaning of data – Policies users can understand UserApp DeveloperSite Designer
DOM Node Tags Privacy tags: protect read access – address, financial, medical, photo/video, etc. Integrity tags: protect write access – Designed on a custom basis per site = node tagged as “financial” = inherited “financial” tag from parent Underlying DOM Menubar Summary Transactions Website Menubar Individual Account Transactions Summary of Accounts
Restricting Scripts 2 Types of scripts – Requested by site during normal execution – Inserted by browser on behalf of an extension/app 4 Types of protection Requested by site Inserted by browser PrivacyIntegrity
Determining Policies User sets policy for extensions at install time Site designer sets policy for web scripts Site makes recommendation for extensions Negotiation resolves any conflicts Requested by site Inserted by browser PrivacyIntegrity
Policy Negotiation Negotiation occurs first time a user visits a site Can be per extension or across all extensions correspondence photos/videos medical financial correspondence photos/videos Site RecommendationUser Settings Are you sure you want to let extensions access your medical and financial data on this site?
Example: Photo Editing Privacy tags restrict access to photos Cross-Domain XHR more cumbersome – Would require support from Facebook – Not flexible enough for long term success Facebook Photo Editor Denied Allowed Denied Contact Info Wall Posts Photos
Example: Identity Theft Shopping Website Bank Website Evil or Vulnerable Installed App Credit Card Info Purchase Record Purchase Record Script injection Credit Card Info Script Injection Tag Protection
Improvements over status quo Usability – Choices are more natural for humans Better policies – Privacy tags leverage semantic meaning of data – Integrity tags allow finer granularity in page access Better incentives – Party with most knowledge and stake plays a role
Future Work & Open Questions Handling DOM updates – Approved script writes new nodes into DOM – What tags should be assigned to new nodes? Privacy tag set – Fixed set could be restrictive – Custom set harder to work with