SMash: secure component model for cross-domain mashups on unmodified browsers Export

@inproceedings{citeulike:3790357, abstract = {Mashup applications mix and merge content (data and code) from multiple content providers in a user's browser, to provide high-value web applications that can rival the user experience provided by desktop applications. Current browser security models were not designed to support such applications and they are therefore implemented with insecure workarounds. In this paper, we present a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of a security policy. We have developed an implementation of this model that works currently in all major browsers, and addresses challenges of communication integrity and frame-phishing. An evaluation of the performance of our implementation shows that this approach is not just feasible but also practical.}, address = {New York, NY, USA}, author = {De Keukelaere, Frederik and Bhola, Sumeer and Steiner, Michael and Chari, Suresh and Yoshihama, Sachiko}, booktitle = {WWW '08: Proceeding of the 17th international conference on World Wide Web}, citeulike-article-id = {3790357}, citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=1367497.1367570}, citeulike-linkout-1 = {http://dx.doi.org/10.1145/1367497.1367570}, doi = {10.1145/1367497.1367570}, isbn = {978-1-60558-085-2}, keywords = {aggregators, ajax, browsers, javascript, mashup, security, web}, location = {Beijing, China}, pages = {535--544}, posted-at = {2009-05-23 04:46:03}, priority = {2}, publisher = {ACM}, title = {SMash: secure component model for cross-domain mashups on unmodified browsers}, url = {http://dx.doi.org/10.1145/1367497.1367570}, year = {2008} }

TY - CONF ID - citeulike:3790357 L3 - citeulike-article-id:3790357 N2 - Mashup applications mix and merge content (data and code) from multiple content providers in a user's browser, to provide high-value web applications that can rival the user experience provided by desktop applications. Current browser security models were not designed to support such applications and they are therefore implemented with insecure workarounds. In this paper, we present a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of a security policy. We have developed an implementation of this model that works currently in all major browsers, and addresses challenges of communication integrity and frame-phishing. An evaluation of the performance of our implementation shows that this approach is not just feasible but also practical. CY - Beijing, China SN - 978-1-60558-085-2 AD - New York, NY, USA EP - 544 TI - SMash: secure component model for cross-domain mashups on unmodified browsers PB - ACM T2 - WWW '08: Proceeding of the 17th international conference on World Wide Web SP - 535 KW - aggregators KW - ajax KW - browsers KW - javascript KW - mashup KW - security KW - web AU - De Keukelaere, Frederik AU - Bhola, Sumeer AU - Steiner, Michael AU - Chari, Suresh AU - Yoshihama, Sachiko PY - 2008/// UR - http://dx.doi.org/10.1145/1367497.1367570 ER -