A SECURE PROXY-BASED CROSS-DOMAIN COMMUNICATION FOR WEB MASHUPS
Keywords:
Web mashup, same origin policy, access control, proxyAbstract
A web mashup is a web application that integrates content from heterogeneous sources to provide users with an integrated and seamless browsing experience. Client-side mashups differ from server-side mashups in that the content is integrated in the browser using the client-side scripts. However, the legacy same origin policy implemented by the current browsers cannot provide a flexible client-side communication mechanism to exchange information between resources from different sources. To address this problem, we propose a secure client-side cross-domain communication mechanism facilitated by a trusted proxy and the HTML 5 postMessage method. The proxy-based model supports fine-grained access control for elements that belong to different sources in web mashups; and the design guarantees the confidentiality, integrity, and authenticity during cross-domain communications. The proxy-based design also allows users to browse mashups without installing browser plug-ins. For mashups developers, the provided API minimizes the amount of code modification. The results of experiments demonstrate that the overhead incurred by our proxy model is low and reasonable. We anticipate the proxy-based design can help the mashup platform providers to provide a better solution to the mashup developers and users.
Downloads
References
HousingMaps. http://www.housingmaps.com/
Ruderman, J. The Same Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html, 2001, (accessed Aug 10, 2008).
Howell, J., Jackson, C., Wang, H. J. and Fan, X., MashupOS: Operating System Abstractions for Client Mashups. in Proceedings of 11th Workshop on Hot Topics in Operating Systems, (San Diego, CA, 2007).
Jackson, C. and Wang, H. J., Subspace: Secure Cross-Domain Communication for Web Mashups. in Proceedings of the 16th International World Wide Web Conference,(Banff, Alberta, Canada, 2007).
eCap. http:// wiki.squid-cache.org/Features/eCAP
Keukelaere, F. D., Bhola, S., Steiner, M., Chari, S. and Yoshihama, S., SMash: Secure Cross-Domain Mashups on Unmodified Browsers. Tech. Rep., IBM Research, Tokyo Research Laboratory, 2007.
Barth, A., Jackson, C., Mitchell, J. C., Securing Frame Communication in Browsers. Communications of the ACM, 52(6). 83-91. 2009.
Crites, S., Hsu, F. and Chen, H., OMash: Enabling Secure Web Mashups via Object Abstractions. in Proceedings of 15th ACM Conference on Computer and Communications Security, (Alexandria, VA, 2008).
Crockford, D. The Module Tag: A Proposed Solution to the Mashup Security Problem. http://www.json.org/module.html/
Miller, M. S., Samuel, M., Laurie, B., Awad, I. and Stay, M., Caja: Safe Active Content in Sanitized JavaScript. Google research project, 2008.
Facebook Markup Language (FBML). http://developers.facebook.com /docs/reference/fbml/
Reis, C., Dunagan, J., Wang, H. J., Dubrovsky O. and Esmeir, S., BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML. in Proceedings of the 7th Symposium on Operating Systems Design and Implementation, (Seattle, WA, 2006).
Louw, M. T., Ganesh, K. T. and Venkatakrishnan, V. N., AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. in Proceedings of the 19th USENIX Security Symposium, (Washington, DC, 2010).
Singh, K., Moshchuk, A., Wang, H. J. and Lee, W., On the Incoherencies in Web Browser Access Control Policies. in Proceedings of the 31st IEEE Symposium on Security and Privacy, (Oakland, CA, 2010).
Zarandioon, S., Yao, D. and Ganapathy, V., OMOS: A Framework for Secure Communication in Mashup Applications. in Proceedings of the Annual Computer Security Applications Conference, (Anaheim CA, 2008).
Cross-Origin Resource Sharing. W3C Working Draft. http://www.w3.org/TR/cors/
