1. 1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo

2. 2 Overview Motivation  Mashups: Websites or web applications that combine content from multiple sources  Example: www.housingmaps.com, Google Personalized Homepage, Windows Live  Issues: current web mashups don’t address security issues  Same origin security model Existing approaches  tags: uncontrolled cross domain execution - high security risks  Browser plugins: cross domain interaction - inconvenient for users  Gadget aggregators: inline or sandbox  Proposals for cross-domain communication mechanisms Approach: Subspace  A cross-domain communication mechanism  Allows efficient and secure communication across domains  Provides a communication channel between the aggregator and each gadget  Channel: JavaScript objects passed across the frames  Protect aggregators against malicious web services and gadgets Implementation  Subspace implemented using JavaScript

3. 3 Mashups: Communication across domains Current Practice Same-origin policies  Sandbox model  Same-origin principle: only the site that stores some information in the browser may read or modify that information  Applied loosely: same-origin policies  JavaScript restrictions (policies): regulate access to inline frames (IFRAMEs) and XMLHttpRequest  Protects the secrecy of HTML documents and the integrity of a page Proxies Cross-domain tags Browser plugins Fragment identifier messaging

4. 4 Subspace Cross-subdomain communication  Site:  Example: Cross-domain code authorization  Dynamic authorization  Static authorization Cross-domain frame access  Permissive  Restrictive  Configurable  Permissive, but restrict location

5. 5 Single Web Service Technique  Add a throwaway subdomain  Example: Set-up phase  1. Create a mediator frame (hidden frame)  2. Create untrusted frame  3. Pass JavaScript communication object

6. 6 Single Web Service Data Exchange  Static authorization model for closures Provides easy communication mechanism between the top frame and the untrusted frame Untrusted frame: adds data request closure to the JavaScript object Argument: data response callback tag: inserted dynamically into the untrusted frame Tag points to some JavaScript format hosted by the web service After loading data from the remote web service, the tag invokes the data response callback  Dynamic authorization model for closures Does not support callback system Workaround catch the security exception that is thrown when an unauthorized access occurs

7. 7 Multiple Web Service Challenges  Protecting mashup domain  Protecting web services from each other Restrictive frame access  The scheme for single web service can be directly adopted  Use nested frame structure Permissive frame access  Examples: Firefox, Safari, IE7  Separating is much more difficult  Configuration: any frame anywhere on the page can be reached by any other frame  Solution: use a new throwaway domain for each web service

8. 8 Multiple Web Service Procedure  1. Create mediator frame  2. Create untrusted frame  3. Create access frame  4. Pass JavaScript communication object  5. Cleanup  6. Repeat for every gadget  7. Load untrusted content

9. 9 Evaluation: Mashup Measurements Performance Example mashup  Web service 1: Flickr  Web service 2: del.icio.us  Mashup: KittenMark: allows posting the 20 most recent kitten photos from the Flickr to del.icio.us Three architectures  Proxy  Unsafe  Subsapce Measurements  Built an automated timing framework  Measured the time to load the initial page and  Measured the time to download the latest list of kittens from Flickr

10. 10 Evaluation: Gadget Aggregator Measurements Application  Simple gadget aggregator  Allows the user to customize the font color of all his or her gadgets Three gadget aggregator architectures  Sandboxed  Unsafe  Subspace Time Measurement  Used the automated timing framework  Measured the setup time  Measure the time it took to change the font color

11. 11 Related Work XML access-control instruction  W3C working draft  : authorization of read access to XML content JSONRequest (JavaScript Object Notation Request)  Can perform cross-domain data requests  Accept only data with a mime type application/json BrowserShield  preprocess the gadget’s JavaScript code to ensure that it can only perform actions within a set of acceptable guidelines  Developing these policies is a challenging problem  could prevent some denial-of-service Cross-document messages  Proposal for a browser standard  allow frames to send string messages to each other regardless of their source domain

12. 12 Comments Motivation Spatio-Temporal Predicates

13. 13 Questions?