Redefining web browser principals with a Configurable Origin Policy

With the advent of Web 2.0, web developers have designed multiple additions to break SOP boundary, such as splitting and combining traditional web browser protection boundaries (security principals). However, these newly generated principals lack a new label to represent its security property. To ad...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Hauptverfasser:	Yinzhi Cao, Rastogi, Vaibhav, Zhichun Li, Yan Chen, Moshchuk, Alexander
Format:	Tagungsbericht
Sprache:	eng
Schlagworte:	Browsers Google Mashups Ports (Computers) Security Servers Web sites
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	12
container_issue
container_start_page	1
container_title
container_volume
creator	Yinzhi Cao Rastogi, Vaibhav Zhichun Li Yan Chen Moshchuk, Alexander
description	With the advent of Web 2.0, web developers have designed multiple additions to break SOP boundary, such as splitting and combining traditional web browser protection boundaries (security principals). However, these newly generated principals lack a new label to represent its security property. To address the inconsistent label problem, this paper proposes a new way to define a security principal and its labels in the browser. In particular, we propose a Configurable Origin Policy (COP), in which a browser's security principal is defined by a configurable ID rather than a fixed triple . The server-side and client-side code of a web application can create, join, and destroy its own principals. We perform a formal security analysis on COP to ensure session integrity. Then we also show that COP is compatible with legacy web sites, and those sites utilizing COP are also compatible with legacy browsers.
doi_str_mv	10.1109/DSN.2013.6575317
format	Conference Proceeding
fullrecord	<record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_6575317</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6575317</ieee_id><sourcerecordid>6575317</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-f7808cb39c8d9bd9d7952a2f1a463e392dfe169f1298d105a9ddf480af4471ac3</originalsourceid><addsrcrecordid>eNpVkElrwzAUhNUNGlLfC73oD9h9T4slHYu7QmhKl3OQLclVce0gp5j8-xqaS09zmGH4Zgi5RCgQwVzfvj0XDJAXpVSSozoimVEaRal4KRSDY7JgKHXODVMn_zzkp2SBkkMOWptzko3jFwAgcFFqvSDVq3c-xD72LZ18Tes0TKNPdJti38St7UY6xd0ntbQa-hDbn2TrztN1im3s6cvQxWZ_Qc7CHPTZQZfk4_7uvXrMV-uHp-pmlUdUcpcHpUE3NTeNdqZ2xikjmWUBrSi5n9Fd8FiagMxohyCtcS4IDTaIeYdt-JJc_fVG7_1mJvy2ab85XMJ_AbNzT_Y</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Redefining web browser principals with a Configurable Origin Policy</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Yinzhi Cao ; Rastogi, Vaibhav ; Zhichun Li ; Yan Chen ; Moshchuk, Alexander</creator><creatorcontrib>Yinzhi Cao ; Rastogi, Vaibhav ; Zhichun Li ; Yan Chen ; Moshchuk, Alexander</creatorcontrib><description>With the advent of Web 2.0, web developers have designed multiple additions to break SOP boundary, such as splitting and combining traditional web browser protection boundaries (security principals). However, these newly generated principals lack a new label to represent its security property. To address the inconsistent label problem, this paper proposes a new way to define a security principal and its labels in the browser. In particular, we propose a Configurable Origin Policy (COP), in which a browser's security principal is defined by a configurable ID rather than a fixed triple <;scheme, host, port>. The server-side and client-side code of a web application can create, join, and destroy its own principals. We perform a formal security analysis on COP to ensure session integrity. Then we also show that COP is compatible with legacy web sites, and those sites utilizing COP are also compatible with legacy browsers.</description><identifier>ISSN: 1530-0889</identifier><identifier>ISBN: 9781467364713</identifier><identifier>ISBN: 1467364711</identifier><identifier>EISSN: 2158-3927</identifier><identifier>EISBN: 9781467364720</identifier><identifier>EISBN: 146736472X</identifier><identifier>DOI: 10.1109/DSN.2013.6575317</identifier><language>eng</language><publisher>IEEE</publisher><subject>Browsers ; Google ; Mashups ; Ports (Computers) ; Security ; Servers ; Web sites</subject><ispartof>2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2013, p.1-12</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6575317$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,778,782,787,788,2054,27912,54907</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6575317$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Yinzhi Cao</creatorcontrib><creatorcontrib>Rastogi, Vaibhav</creatorcontrib><creatorcontrib>Zhichun Li</creatorcontrib><creatorcontrib>Yan Chen</creatorcontrib><creatorcontrib>Moshchuk, Alexander</creatorcontrib><title>Redefining web browser principals with a Configurable Origin Policy</title><title>2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)</title><addtitle>DSN</addtitle><description>With the advent of Web 2.0, web developers have designed multiple additions to break SOP boundary, such as splitting and combining traditional web browser protection boundaries (security principals). However, these newly generated principals lack a new label to represent its security property. To address the inconsistent label problem, this paper proposes a new way to define a security principal and its labels in the browser. In particular, we propose a Configurable Origin Policy (COP), in which a browser's security principal is defined by a configurable ID rather than a fixed triple <;scheme, host, port>. The server-side and client-side code of a web application can create, join, and destroy its own principals. We perform a formal security analysis on COP to ensure session integrity. Then we also show that COP is compatible with legacy web sites, and those sites utilizing COP are also compatible with legacy browsers.</description><subject>Browsers</subject><subject>Google</subject><subject>Mashups</subject><subject>Ports (Computers)</subject><subject>Security</subject><subject>Servers</subject><subject>Web sites</subject><issn>1530-0889</issn><issn>2158-3927</issn><isbn>9781467364713</isbn><isbn>1467364711</isbn><isbn>9781467364720</isbn><isbn>146736472X</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2013</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNpVkElrwzAUhNUNGlLfC73oD9h9T4slHYu7QmhKl3OQLclVce0gp5j8-xqaS09zmGH4Zgi5RCgQwVzfvj0XDJAXpVSSozoimVEaRal4KRSDY7JgKHXODVMn_zzkp2SBkkMOWptzko3jFwAgcFFqvSDVq3c-xD72LZ18Tes0TKNPdJti38St7UY6xd0ntbQa-hDbn2TrztN1im3s6cvQxWZ_Qc7CHPTZQZfk4_7uvXrMV-uHp-pmlUdUcpcHpUE3NTeNdqZ2xikjmWUBrSi5n9Fd8FiagMxohyCtcS4IDTaIeYdt-JJc_fVG7_1mJvy2ab85XMJ_AbNzT_Y</recordid><startdate>201306</startdate><enddate>201306</enddate><creator>Yinzhi Cao</creator><creator>Rastogi, Vaibhav</creator><creator>Zhichun Li</creator><creator>Yan Chen</creator><creator>Moshchuk, Alexander</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>201306</creationdate><title>Redefining web browser principals with a Configurable Origin Policy</title><author>Yinzhi Cao ; Rastogi, Vaibhav ; Zhichun Li ; Yan Chen ; Moshchuk, Alexander</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-f7808cb39c8d9bd9d7952a2f1a463e392dfe169f1298d105a9ddf480af4471ac3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2013</creationdate><topic>Browsers</topic><topic>Google</topic><topic>Mashups</topic><topic>Ports (Computers)</topic><topic>Security</topic><topic>Servers</topic><topic>Web sites</topic><toplevel>online_resources</toplevel><creatorcontrib>Yinzhi Cao</creatorcontrib><creatorcontrib>Rastogi, Vaibhav</creatorcontrib><creatorcontrib>Zhichun Li</creatorcontrib><creatorcontrib>Yan Chen</creatorcontrib><creatorcontrib>Moshchuk, Alexander</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Yinzhi Cao</au><au>Rastogi, Vaibhav</au><au>Zhichun Li</au><au>Yan Chen</au><au>Moshchuk, Alexander</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Redefining web browser principals with a Configurable Origin Policy</atitle><btitle>2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)</btitle><stitle>DSN</stitle><date>2013-06</date><risdate>2013</risdate><spage>1</spage><epage>12</epage><pages>1-12</pages><issn>1530-0889</issn><eissn>2158-3927</eissn><isbn>9781467364713</isbn><isbn>1467364711</isbn><eisbn>9781467364720</eisbn><eisbn>146736472X</eisbn><abstract>With the advent of Web 2.0, web developers have designed multiple additions to break SOP boundary, such as splitting and combining traditional web browser protection boundaries (security principals). However, these newly generated principals lack a new label to represent its security property. To address the inconsistent label problem, this paper proposes a new way to define a security principal and its labels in the browser. In particular, we propose a Configurable Origin Policy (COP), in which a browser's security principal is defined by a configurable ID rather than a fixed triple <;scheme, host, port>. The server-side and client-side code of a web application can create, join, and destroy its own principals. We perform a formal security analysis on COP to ensure session integrity. Then we also show that COP is compatible with legacy web sites, and those sites utilizing COP are also compatible with legacy browsers.</abstract><pub>IEEE</pub><doi>10.1109/DSN.2013.6575317</doi><tpages>12</tpages></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 1530-0889
ispartof	2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2013, p.1-12
issn	1530-0889 2158-3927
language	eng
recordid	cdi_ieee_primary_6575317
source	IEEE Electronic Library (IEL) Conference Proceedings
subjects	Browsers Google Mashups Ports (Computers) Security Servers Web sites
title	Redefining web browser principals with a Configurable Origin Policy
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-15T20%3A34%3A35IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Redefining%20web%20browser%20principals%20with%20a%20Configurable%20Origin%20Policy&rft.btitle=2013%2043rd%20Annual%20IEEE/IFIP%20International%20Conference%20on%20Dependable%20Systems%20and%20Networks%20(DSN)&rft.au=Yinzhi%20Cao&rft.date=2013-06&rft.spage=1&rft.epage=12&rft.pages=1-12&rft.issn=1530-0889&rft.eissn=2158-3927&rft.isbn=9781467364713&rft.isbn_list=1467364711&rft_id=info:doi/10.1109/DSN.2013.6575317&rft_dat=%3Cieee_6IE%3E6575317%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9781467364720&rft.eisbn_list=146736472X&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=6575317&rfr_iscdi=true