cross document messaging, html 5
TRANSCRIPT
![Page 1: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/1.jpg)
Cross document messaging
Kristoffer Snabb
![Page 2: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/2.jpg)
Intro
• Cross domain xhr not possible in many cases due to security restrictions
VS.• Hacks and methods developed to be able to
do cross domain messaging
![Page 3: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/3.jpg)
Classic CSRF
![Page 4: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/4.jpg)
Link injection
![Page 5: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/5.jpg)
Solutions to secure websites from CSRF
• Same origin policy in browsers• Web site protection methods– Requiring a secret, user-specific token in all form
submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions
– Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
– Limiting the lifetime of session cookies– Checking the HTTP Referrer header + HTTPS
![Page 6: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/6.jpg)
How to XHR cross domain?
• Older solutions– JSONP = <script> element and GET requests– Document.domain = (www) example.com– Window.name = ”message to iframe and back”– Server-side proxy = lot of work– Iframe hacks = complex hack– http://easyxdm.net = javascript library using any of the
above• New and beautiful– CORS (w3c working draft)– Cross document messaging (HTML 5)
![Page 7: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/7.jpg)
CORS
![Page 8: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/8.jpg)
Cross document messaging HTML 5
![Page 9: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/9.jpg)
Comparison
• Messaging– Client side proxy– Can be made more
complex, client takes the computing overhead
– Requires messaging protocol between the actors (documents)
• Cors– Server side solution– Very simple to
implement, or configure apache to handle CORS
– Only HTTP Requests
![Page 10: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/10.jpg)
Messaging demo
• Cross document basics
![Page 11: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/11.jpg)
MessageChannel
• Message channel can be used to create connection between windows
• Avoid conflicts with e.g. two iframes sending messages
• Can be used as an abstraction• But origins are lost using channels and can be
seen as insecure
![Page 12: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/12.jpg)
Conclusions
• Cross document messaging, requires a lot of implementation
• Lot’s of possibilities on client side• Channel messaging does not work yet• CORS is a viable option
![Page 13: cross document messaging, html 5](https://reader035.vdocuments.us/reader035/viewer/2022080210/554f6db7b4c905c8088b5376/html5/thumbnails/13.jpg)
Articles
• “A Mashup Tool for Cross-Domain Web Applications Using HTML5 Technologies”, Akiyoshi Matono, Akihito Nakamura, and Isao Kojima, 2011
• “Robust Defenses for Cross-Site Request Forgery”, Adam Barth, Collin Jackson, John C. Mitchell, 2008
• “Automatic and Precise Client-Side Protection against CSRF Attacks”, Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens, 2011
• “Securing Frame Communication in Browsers”, By Adam Barth, Collin Jackson, and John C. Mitchell, 2008