A Radical Trend SciVerse Gadget Programming and Same Origin Policy
Friday, June 20, 2014
Add Comment
Among the fundamental security concepts for coding a gadget on SciVerse or other OpenSocial container, inside a mashup with 3rd party open APIs for example, is identical origin insurance policy for browser side programming. Exactly the same origin policy prevents documents loaded on a single page to become utilized by pages on another domain, port and protocol.
You will find two fundamental risks that need considering: the consumer session being utilized maliciously and phishing for user qualifications like passwords.
There's some versatility for scripts to gain access to the document of some other domain. Parent domain title traversal may be the choice for scripts on a single page to gain access to documents in another page inside a different subdomain inside the same parent domain.
You could do via a script altering the document.domain value. Country domain names like co.united kingdom are vulnerable within this aspect, when the browser under consideration limits only accessibility domain.tld (tld=top level domain) area of the host title and doesn't safeguard a website title ending in co.united kingdom for example. Also exterior scripts incorporated around the page makes it possible for accessibility page's document, skipping exactly the same origin policy.
Browser side hacking is available in a couple of versions. Mix-site request forgery (CSRF, XSRF, or mix-site reference forgery) uses a recognised session with user qualifications to submit a malicious form inside the scope from the existing session. Mix-site scripting (XSS) embeds scripts into data that's send towards the user, and you will find other possible attacks.
Exactly why is same origin policy highly relevant to SciVerse devices or OpenSocial devices programming? The primary reason is the fact that devices are basically IFRAMEs running on the page.
IFRAMEs is a different way to bypass exactly the same origin policy and can include a 3rd party domain to embed scripts inside a page.
Many devices plan to mashup code from various domain names. The popularity in Web2. to mashup data from various sources inside a gadget inside an opensocial container is really a radical break using the roots of same origin policy which was designed because the first step toward internet and browser security.
http://developer.sciverse.com
http://developer.sciverse.com/blog
You will find two fundamental risks that need considering: the consumer session being utilized maliciously and phishing for user qualifications like passwords.
There's some versatility for scripts to gain access to the document of some other domain. Parent domain title traversal may be the choice for scripts on a single page to gain access to documents in another page inside a different subdomain inside the same parent domain.
You could do via a script altering the document.domain value. Country domain names like co.united kingdom are vulnerable within this aspect, when the browser under consideration limits only accessibility domain.tld (tld=top level domain) area of the host title and doesn't safeguard a website title ending in co.united kingdom for example. Also exterior scripts incorporated around the page makes it possible for accessibility page's document, skipping exactly the same origin policy.
Browser side hacking is available in a couple of versions. Mix-site request forgery (CSRF, XSRF, or mix-site reference forgery) uses a recognised session with user qualifications to submit a malicious form inside the scope from the existing session. Mix-site scripting (XSS) embeds scripts into data that's send towards the user, and you will find other possible attacks.
Exactly why is same origin policy highly relevant to SciVerse devices or OpenSocial devices programming? The primary reason is the fact that devices are basically IFRAMEs running on the page.
IFRAMEs is a different way to bypass exactly the same origin policy and can include a 3rd party domain to embed scripts inside a page.
Many devices plan to mashup code from various domain names. The popularity in Web2. to mashup data from various sources inside a gadget inside an opensocial container is really a radical break using the roots of same origin policy which was designed because the first step toward internet and browser security.
http://developer.sciverse.com
http://developer.sciverse.com/blog
0 Response to "A Radical Trend SciVerse Gadget Programming and Same Origin Policy"
Post a Comment