Access Restriction

Author Jackson, Collin ♦ Mitchell, John C. ♦ Barth, Adam
Source ACM Digital Library
Content type Text
Publisher Association for Computing Machinery (ACM)
File Format PDF
Language English
Abstract Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious content. However, frames provide insufficient isolation in browsers that let framed content navigate other frames. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also affects communication between cooperating frames. We therefore analyze two techniques for interframe communication between isolated frames. The first method, fragment identifier messaging, initially provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, <code>postMessage</code>, initially provides authentication, but we discover an attack that breaches confidentiality. We propose improvements in the <code>postMessage</code> API to provide confidentiality; our proposal has been standardized and adopted in browser implementations.
Description Affiliation: UC Berkeley (Barth, Adam) || Stanford University (Jackson, Collin; Mitchell, John C.)
Age Range 18 to 22 years ♦ above 22 year
Educational Use Research
Education Level UG and PG
Learning Resource Type Article
Publisher Date 2005-08-01
Publisher Place New York
Journal Communications of the ACM (CACM)
Volume Number 52
Issue Number 6
Page Count 9
Starting Page 83
Ending Page 91

Open content in new tab

   Open content in new tab
Source: ACM Digital Library