OMash: enabling secure web mashups via object abstractions Export

@inproceedings{citeulike:3806016, abstract = {The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications.}, address = {New York, NY, USA}, author = {Crites, Steven and Hsu, Francis and Chen, Hao}, booktitle = {CCS '08: Proceedings of the 15th ACM conference on Computer and communications security}, citeulike-article-id = {3806016}, citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=1455770.1455784}, citeulike-linkout-1 = {http://dx.doi.org/10.1145/1455770.1455784}, doi = {10.1145/1455770.1455784}, isbn = {978-1-59593-810-7}, keywords = {aggregators, ajax, browsers, javascript, mashup, security, web}, location = {Alexandria, Virginia, USA}, pages = {99--108}, posted-at = {2009-05-23 04:47:53}, priority = {2}, publisher = {ACM}, title = {OMash: enabling secure web mashups via object abstractions}, url = {http://dx.doi.org/10.1145/1455770.1455784}, year = {2008} }

TY - CONF ID - citeulike:3806016 L3 - citeulike-article-id:3806016 N2 - The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications. CY - Alexandria, Virginia, USA SN - 978-1-59593-810-7 AD - New York, NY, USA EP - 108 TI - OMash: enabling secure web mashups via object abstractions PB - ACM T2 - CCS '08: Proceedings of the 15th ACM conference on Computer and communications security SP - 99 KW - aggregators KW - ajax KW - browsers KW - javascript KW - mashup KW - security KW - web AU - Crites, Steven AU - Hsu, Francis AU - Chen, Hao PY - 2008/// UR - http://dx.doi.org/10.1145/1455770.1455784 ER -