Redefining web browser principals with a Configurable Origin Policy

Author

Yinzhi Cao ; Rastogi, V. ; Zhichun Li ; Yan Chen ; Moshchuk, Alexander

Author_Institution

Northwestern Univ., Evanston, IL, USA

fYear

2013

fDate

24-27 June 2013

Firstpage

1

Lastpage

12

Abstract

With the advent of Web 2.0, web developers have designed multiple additions to break SOP boundary, such as splitting and combining traditional web browser protection boundaries (security principals). However, these newly generated principals lack a new label to represent its security property. To address the inconsistent label problem, this paper proposes a new way to define a security principal and its labels in the browser. In particular, we propose a Configurable Origin Policy (COP), in which a browser´s security principal is defined by a configurable ID rather than a fixed triple <;scheme, host, port>. The server-side and client-side code of a web application can create, join, and destroy its own principals. We perform a formal security analysis on COP to ensure session integrity. Then we also show that COP is compatible with legacy web sites, and those sites utilizing COP are also compatible with legacy browsers.

Keywords

Internet; client-server systems; online front-ends; security of data; SOP boundary; Web 2.0; Web application; Web browser security principal; Web developers; client-side code; configurable ID; configurable origin policy; formal security analysis; legacy Web sites; server-side code; session integrity; Browsers; Google; Mashups; Ports (Computers); Security; Servers; Web sites;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on

Conference_Location

Budapest

ISSN

1530-0889

Print_ISBN

978-1-4673-6471-3

Type

conf

DOI

10.1109/DSN.2013.6575317

Filename

6575317