Module 13 Flashcards
frame
a way to embed a page within a page
what do we specify in frame isolation?
outer page can specify only size and placement of other page
outer page cannot change content of inner page
inner page cannot change contents of outer page
same origin policy (SOP)
one origin should not be able to access resources of another origin
what resources does SOP pertain to?
cookies DOM tree DOM storage JS namespace visual display area
what is an origine?
granularity of protection from SOP
origine = protocol + hostname + port
http://cis.upenn.edu:80/
what is an origine?
granularity of protection from SOP
origine = protocol + hostname + port
http://cis.upenn.edu:80/
how is origin determined?
string matching (having a different path is fine)
http vs https NOT FINE
not different ports
origins of different objects
images inherit origin of site that loads them
JS inherits the origin of site that loads it
DOM nodes get origin of surrounding frame
cookies are URL + path
frames are more complicated
frames do not adopt origine or outer side t/f
true / frame’s origin is its URL
unless
you change part to suffix of its domain
- frame for cis.upenn.edu can change its origin to upenn.edu via document.domain
- but not to top-level domain such as .edu
two frames can access each other’s resources if:
both frames set document.domain to same value
neither has changed document.domain (and there is a match)
when is cross domain allowed?
if both origins optin in
- -> postMessage interface
- -> one site has an event listener that waits for messages
- -> other site is a client and issues messages
what is clickjacking?
attacker makes an inner frame invsiible
attack buts another web element underneath, tricking the user doing things they don’t want to do
defenses
user confirmation (pop up) UI randomization (move dialogue / forms around so it is hard for attacker to align content) x-frame-options-heads (server can tell browser: "do not allow my content to be shown in a frame") framebusting code (code that prevents a page from being loaded into a frame)
framebusting code
if (self != top) {
top.location = self.location;
}
HTML5 screen capture / screen sharing
if a frame takes a screenshot it can take a screenshot of entire page
can see content in all other frames
–including sensitive info
solution: stop using your computer