Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009

Outline Security User Interface Goals of a browser When is it safe to type my password? Same-Origin Policy How sites are isolated Opting out of isolation Navigation Frame hijacking Navigation policy

3 Running Remote Code is Risky Integrity Compromise your machine Install malware rootkit Transact on your accounts Confidentiality Read your information Steal passwords Read your

4 Browser Sandbox Goal Run remote web applications safely Limited access to OS, network, and browser data Approach Isolate sites in different security contexts Browser manages resources, like an OS

5 Security User Interface When is it safe to type my password?

Safe to type your password? 6

7

8

9 ???

Safe to type your password? 10

Frames Modularity Brings together content from multiple sources Client-side aggregation Delegation Frame can draw only on its own rectangle src = 7.gmodules.com/... name = remote_iframe_7 src = google.com/… name = awglogin

Popup windows With hyperlinks click here With JavaScript mywin = window.open(“ “foo”, “width=10,height=10”) Navigating named window re-uses existing one Can access properties of remote window: mywin.document.body mywin.location = “

Windows Interact 13

Are all interactions good? 14

15 Same-Origin Policy How does the browser isolate different sites?

Policy Goals Safe to visit an evil web site Safe to visit two pages at the same time Address bar distinguishes them Allow safe delegation

Same Origin Policy Origin = protocol://host:port Full access to same origin Full network access Read/write DOM Storage (more on Weds.) Assumptions? Site A Site A context

Library import Script has privileges of imported page, NOT source server. Can script other pages in this origin, load more scripts Other forms of importing VeriSign

Data export Many ways to send information to other origins No user involvement required Cannot read back response

Domain Relaxation Origin: scheme, host, (port), hasSetDomain Try document.domain = document.domain chat.facebook.com facebook.com

Recent Developments Cross-origin network requests Access-Control-Allow-Origin: Access-Control-Allow-Origin: * Cross-origin client side communication Client-side messaging via navigation (older browsers) postMessage (newer browsers) Site B Site A Site A contextSite B context

window.postMessage New API for inter-frame communication Supported in latest betas of many browsers A network-like channel between frames Add a contact Share contacts

postMessage syntax frames[0].postMessage("Attack at dawn!", " window.addEventListener("message", function (e) { if (e.origin == " {... e.data... } }, false); Facebook Anecdote Facebook Anecdote Attack at dawn!

24 Navigation Who decides what content goes in a frame?

25 A Guninski Attack awglogin window.open(" "awglogin");

What should the policy be? 26 Child Sibling Descendant Frame Bust

BrowserPolicy IE 6 (default)Permissive IE 6 (option)Child IE7 (no Flash)Descendant IE7 (with Flash)Permissive Firefox 2Window Safari 3Permissive Opera 9Window HTML 5Child Legacy Browser Behavior

Window Policy Anomaly top.frames[1].location = " top.frames[2].location = "

BrowserPolicy IE7 (no Flash)Descendant IE7 (with Flash)Descendant Firefox 3Descendant Safari 3Descendant Opera 9(many policies) HTML 5Descendant Adoption of Descendant Policy

Why include “targetOrigin”? What goes wrong? frames[0].postMessage("Attack at dawn!"); Messages sent to frames, not principals When would this happen? 30

Conclusion Same origin policy is flexible Address bar reflects the principal that's in control Content may be affected by other principals Delegation Library import Domain relaxation Pixel delegation via frames Communication Data export Opt-in messaging

Reading Securing Browser Frame Communication. Adam Barth, Collin Jackson, and John C. Mitchell iki/Part2#Same-origin_policy