cross document messaging, html 5
TRANSCRIPT
Cross document messaging
Kristoffer Snabb
Intro
• Cross domain xhr not possible in many cases due to security restrictions
VS.• Hacks and methods developed to be able to
do cross domain messaging
Classic CSRF
Link injection
Solutions to secure websites from CSRF
• Same origin policy in browsers• Web site protection methods– Requiring a secret, user-specific token in all form
submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions
– Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
– Limiting the lifetime of session cookies– Checking the HTTP Referrer header + HTTPS
How to XHR cross domain?
• Older solutions– JSONP = <script> element and GET requests– Document.domain = (www) example.com– Window.name = ”message to iframe and back”– Server-side proxy = lot of work– Iframe hacks = complex hack– http://easyxdm.net = javascript library using any of the
above• New and beautiful– CORS (w3c working draft)– Cross document messaging (HTML 5)
CORS
Cross document messaging HTML 5
Comparison
• Messaging– Client side proxy– Can be made more
complex, client takes the computing overhead
– Requires messaging protocol between the actors (documents)
• Cors– Server side solution– Very simple to
implement, or configure apache to handle CORS
– Only HTTP Requests
Messaging demo
• Cross document basics
MessageChannel
• Message channel can be used to create connection between windows
• Avoid conflicts with e.g. two iframes sending messages
• Can be used as an abstraction• But origins are lost using channels and can be
seen as insecure
Conclusions
• Cross document messaging, requires a lot of implementation
• Lot’s of possibilities on client side• Channel messaging does not work yet• CORS is a viable option
Articles
• “A Mashup Tool for Cross-Domain Web Applications Using HTML5 Technologies”, Akiyoshi Matono, Akihito Nakamura, and Isao Kojima, 2011
• “Robust Defenses for Cross-Site Request Forgery”, Adam Barth, Collin Jackson, John C. Mitchell, 2008
• “Automatic and Precise Client-Side Protection against CSRF Attacks”, Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens, 2011
• “Securing Frame Communication in Browsers”, By Adam Barth, Collin Jackson, and John C. Mitchell, 2008