File Download
There are no files associated with this item.
Links for fulltext
(May Require Subscription)
- Publisher Website: 10.1145/1455770.1455784
- Scopus: eid_2-s2.0-70349300102
- Find via
Supplementary
-
Citations:
- Scopus: 0
- Appears in Collections:
Conference Paper: OMash: Enabling secure web mashups via object abstractions
| Title | OMash: Enabling secure web mashups via object abstractions |
|---|---|
| Authors | |
| Keywords | Browser Communication Mashup Object abstraction Protection Same origin policy Security model Web |
| Issue Date | 2008 |
| Citation | Proceedings of the ACM Conference on Computer and Communications Security, 2008, p. 99-107 How to Cite? |
| Abstract | The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications. Copyright 2008 ACM. |
| Persistent Identifier | http://hdl.handle.net/10722/346547 |
| ISSN | 2023 SCImago Journal Rankings: 1.430 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Crites, Steven | - |
| dc.contributor.author | Hsu, Francis | - |
| dc.contributor.author | Chen, Hao | - |
| dc.date.accessioned | 2024-09-17T04:11:39Z | - |
| dc.date.available | 2024-09-17T04:11:39Z | - |
| dc.date.issued | 2008 | - |
| dc.identifier.citation | Proceedings of the ACM Conference on Computer and Communications Security, 2008, p. 99-107 | - |
| dc.identifier.issn | 1543-7221 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/346547 | - |
| dc.description.abstract | The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications. Copyright 2008 ACM. | - |
| dc.language | eng | - |
| dc.relation.ispartof | Proceedings of the ACM Conference on Computer and Communications Security | - |
| dc.subject | Browser | - |
| dc.subject | Communication | - |
| dc.subject | Mashup | - |
| dc.subject | Object abstraction | - |
| dc.subject | Protection | - |
| dc.subject | Same origin policy | - |
| dc.subject | Security model | - |
| dc.subject | Web | - |
| dc.title | OMash: Enabling secure web mashups via object abstractions | - |
| dc.type | Conference_Paper | - |
| dc.description.nature | link_to_subscribed_fulltext | - |
| dc.identifier.doi | 10.1145/1455770.1455784 | - |
| dc.identifier.scopus | eid_2-s2.0-70349300102 | - |
| dc.identifier.spage | 99 | - |
| dc.identifier.epage | 107 | - |