BibTeX
@MISC{Jackson_bewareof,
author = {Collin Jackson},
title = {Beware of Finer-Grained Origins},
year = {}
}
Bookmark
 |
 |
 |
 |
 |
 |
OpenURL
Abstract
The security policy of browsers provides no isolation between documents from the same origin (scheme, host, and port), even if those documents have different security characteristics. We show how this lack of isolation leads to origin contamination vulnerabilities in a number of browser security features, such as cookies, encryption, and code signing. A tempting approach to fixing these vulnerabilities is to refine the browser’s notion of origin, leveraging the browser’s built-in isolation between security contexts. We demonstrate that attackers can circumvent these “finergrained origins ” using the library import and data export features of browsers. We discuss several approaches to preventing these attacks. 1
Citations
| 34 | Passpet: convenient password management and phishing protection - Yee, Sitaker - 2006 |
| 33 | Securing frame communication in browsers - Barth, Jackson, et al. - 2008 |
| 32 | Protecting browsers from DNS rebinding attacks - Jackson, Barth, et al. - 2007 |
| 16 | ForceHTTPS: Protecting high-security web sites from network attacks - Jackson, Barth - 2008 |
| 16 | Dynamic pharming attacks and locked same-origin policies for web browsers - Karlof, Shankar, et al. - 2007 |
| 6 | WSKE: Web server key enabled cookies - Masone, Baek, et al. |
| 2 | Cookie Path Best Practice,” http://research. corsaire.com/whitepapers/040323-cookie-path-best-practice. pdf - O’Neal |
| 1 | Decentralized identification. http:// www.waterken.com/dev/YURL - Close |
| 1 | Petname tool. http://www. waterken.com/user/PetnameTool - Close |
| 1 | SafeLock: Preventing origin contamination by mixed content - Jackson, Barth - 2008 |
