WEB SECURITY ============ This lecture: isolation between sites in a web browser. Overall plan is called the "same-origin policy". (SOP) One of the best descriptions is in "The Tangled Web" (today's reading). Will try to cover some over-arching principles Will also talk about some interesting past/present pitfalls. Web browsers continuously change. New mechanisms have come out since "The Tangled Web". But mostly adding onto the existing design, rather than replacing it. How did browser security plan come about? Origin: Netscape browser introduced SOP when adding support for Javascript Incremental design/development: no single coherent design. Noone expected web browsers to be used in the ways they are today. Security issues patched as they were discovered, with extra rules/checks. Browser vendors competed (and to some extent still compete) on functionality. Adding new features (or even security mechanisms) before standards. Historically, W3C has largely been documenting what browsers already do, instead of proposing new standards that browsers will then implement. Browsers didn't always agree on overall plan, or the implementation details. Browser vendors do something that roughly resembles the specs Many quirks, see to quirksmode.org. As a result, many inconsistent corner cases that can be exploited. Now, there's quite a bit of collaboration "behind the scenes". Developers of Chrome, Firefox, IE talk to each other a fair amount. Important issues get fixed slowly over time. Compatibility is a huge constraint, hard to break old sites. (Users will stop using your web browser!) Some of the fixes take place in the browser and Javascript libraries (jQuery, etc). When possible, just a compatibility layer on top of raw browser APIs. Some of the improvements through new headers E.g., Content-Security-Policy Many of the attacks we talk about today are more difficult to pull off E.g., most of lab4 attacks don't work with Chrome What is the web? In the old days, it was a simple client/server architecture (client was your web browser, server was a machine on the network that could deliver static text and images to your browser). -In the old days, the server-side was much more complex than the client-side: browsers didn't support rich interactivity, but the server might interface with databases, other servers, etc. -Because the server was so much more complicated, "web security" focused on the server-side. Up to this point, this class has largely focused on the server-side as well (e.g., buffer overflows on web servers, privilege separation in the OKWS server). The web has changed: now the browser is very complicated. -JavaScript: Allows a page to execute client-side code. -DOM model: Provides a JavaScript interface to the page's HTML, allowing the page to add/remove tags, change their styling, etc. -Cookies: storage in browser, used for e.g. user authentication -XMLHttpRequests (AJAX): Asynchronous HTTP requests. -Web sockets: Full-duplex client-server communication over TCP. -Web workers: Multi-threading support. -Multimedia support: