Title :
Redefining web browser principals with a Configurable Origin Policy
Author :
Yinzhi Cao ; Rastogi, V. ; Zhichun Li ; Yan Chen ; Moshchuk, Alexander
Author_Institution :
Northwestern Univ., Evanston, IL, USA
Abstract :
With the advent of Web 2.0, web developers have designed multiple additions to break SOP boundary, such as splitting and combining traditional web browser protection boundaries (security principals). However, these newly generated principals lack a new label to represent its security property. To address the inconsistent label problem, this paper proposes a new way to define a security principal and its labels in the browser. In particular, we propose a Configurable Origin Policy (COP), in which a browser´s security principal is defined by a configurable ID rather than a fixed triple <;scheme, host, port>. The server-side and client-side code of a web application can create, join, and destroy its own principals. We perform a formal security analysis on COP to ensure session integrity. Then we also show that COP is compatible with legacy web sites, and those sites utilizing COP are also compatible with legacy browsers.
Keywords :
Internet; client-server systems; online front-ends; security of data; SOP boundary; Web 2.0; Web application; Web browser security principal; Web developers; client-side code; configurable ID; configurable origin policy; formal security analysis; legacy Web sites; server-side code; session integrity; Browsers; Google; Mashups; Ports (Computers); Security; Servers; Web sites;
Conference_Titel :
Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on
Conference_Location :
Budapest
Print_ISBN :
978-1-4673-6471-3
DOI :
10.1109/DSN.2013.6575317
