Using encryption for authentication in large networks of computers
Communications of the ACM
Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR
TACAs '96 Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Subspace: secure cross-domain communication for web mashups
Proceedings of the 16th international conference on World Wide Web
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
SMash: secure component model for cross-domain mashups on unmodified browsers
Proceedings of the 17th international conference on World Wide Web
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
OMash: enabling secure web mashups via object abstractions
Proceedings of the 15th ACM conference on Computer and communications security
Privacy-preserving browser-side scripting with BFlow
Proceedings of the 4th ACM European conference on Computer systems
Privacy-aware identity management for client-side mashup applications
Proceedings of the 5th ACM workshop on Digital identity management
A lattice-based approach to mashup security
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Isolating JavaScript with filters, rewriting, and wrappers
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Cross-origin javascript capability leaks: detection, exploitation, and defense
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Rootkits for JavaScript environments
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
Compositional System Security with Interface-Confined Adversaries
Electronic Notes in Theoretical Computer Science (ENTCS)
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
WebAppArmor: a framework for robust prevention of attacks on web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
Designing and Implementing the OP and OP2 Web Browsers
ACM Transactions on the Web (TWEB)
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Practical end-to-end web content integrity
Proceedings of the 21st international conference on World Wide Web
A formal security model of a smart card web server
CARDIS'11 Proceedings of the 10th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Security of web mashups: a survey
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
AdSplit: separating smartphone advertising from applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
Building confederated web-based services with Priv.io
Proceedings of the first ACM conference on Online social networks
Language-based defenses against untrusted browser origins
SEC'13 Proceedings of the 22nd USENIX conference on Security
Building web applications on top of encrypted data using Mylar
NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation
| Hi-index | 0.00 |
Many web sites embed third-party content in frames, relying on the browser's security policy to protect them from malicious content. Frames, however, are often insufficient isolation primitives because most browsers let framed content manipulate other frames through navigation. We evaluate existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition to preventing undesirable interactions, the browser's strict isolation policy also hinders communication between cooperating frames. We analyze two techniques for inter-frame communication. The first method, fragment identifier messaging, provides confidentiality without authentication, which we repair using concepts from a well-known network protocol. The second method, postMessage, provides authentication, but we discover an attack that breaches confidentiality. We modify the postMessage API to provide confidentiality and see our modifications standardized and adopted in browser implementations.