Cross Domain and Browser Security

Erlend Oftedal — @webtonull
OWASP Göteborg

Who am I?

The need for cross domain communication

Frames

http://domain-a.com
Hello??
http://domain-b.com
Sorry... I can't hear you...

Frames

http://domain-a.com
Hello??
http://domain-b.com
Sorry... I can't hear you...

Script

JavaScript running on domain-a.com:
$.get("http://domain-b.com/", function(data) { ... });

Communication across domains

Same Origin Policy


The communicating parties must have URIs with:

Proxying

Proxying


Setting up a local proxy on the web server:

$.get("http://domain-a.com/proxy?url=http://domain-b.com", 
	function(data) { ... }
);

Frames - document.domain

http://a.example.com
<script>
document.domain = "example.com";
...
http://b.example.com
<script>
document.domain = "example.com";
...
  • Works in all browsers
  • No support for third-party domains
  • Domain c.example.com can join the party

SOP Hacks

FIM - Fragment identifier

WindowNameTransport

JSONP - JSON with Padding

JSONP - JSON with Padding

JSONP - JSON with Padding

Flash

Warning - Avoid OPEN crossdomain.xmls


<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>

Allows any flash on any web site to read data on behalf of the current user!

Open crossdomain.xmls

Alexa top 100 local domains:

27
30
31
Tested 18. april 2012

Java Applet support for crossdomain.xml


Only works with insecure (open) crossdomain.xmls... sigh...

Silverlight

HTML5 - postMessage

http://domain-a.com
<script>
var targetFrame = document.getElementById("theIframe").contentWindow;
targetFrame.postMessage(data, "http://domain-b.com");
http://domain-b.com
<script>
if (window.addEventListener) {
        window.addEventListener("message", receiveMessage, false);
} else {
        window.attachEvent("onmessage", receiveMessage);
}
function receiveMessage(event) {
	if (event.origin !== "http://domain-a.com") { //IMPORTANT: always check origin
		return;
	}
	// handle message
}
Example: http://erlend.oftedal.no/blog/examples/cors/

HTML5 - postMessage

http://erlend.oftedal.no/blog/tools/postmessage/

Cross domain XHR

Cross domain XHR

domain-a.com:
GET http://domain-b.com/some/resource
...
domain-b.com:
200 OK
Access-Control-Allow-Origin: http://domain-a.com
...

Cross domain XHR - preflight

domain-a.com:
OPTIONS http://domain-b.com/some/resource
...
domain-b.com:
200 OK
Access-Control-Allow-Origin: http://domain-a.com
...
domain-a.com:
POST http://domain-b.com/some/resource
Content-Type: application/json
...
domain-b.com:
200 OK
Access-Control-Allow-Origin: http://domain-a.com
...

Cross domain XHR - more headers

Cross domain XHR

Cross domain XHR

XDomainRequest

WebSockets

easyXDM

New browser security features

CSP - Content Security Policy

CSP - Directives

Content-Security-Policy: default-src *; script-src 'self' *.google.com https://www.owasp.org:443

CSP - special sources

CSP - support

CSP - reporting

CSP - is it being used

HSTS - Strict Transport Security

X-Frame-Options

Iframe sandboxing

X-Content-Type-Options

XSS-filtering

Questions?

MalaRIA

MalaRIA

MalaRIA

Demo:

http://www.youtube.com/watch?v=_2U7XAuJ6hk

HTML5 = MalaRIA + CORS