Presented at
AppSec USA 2012,
Oct. 26, 2012, 11 a.m.
(45 minutes)
I created what became known as the browser "Same-Origin Policy" (SOP) under duress for Netscape 2, 3, and 4 in the mid-nineties.SOP was intended to preserve the integrity of a user/website session against interference from untrusted other sites. As the web evolved, SOP split from a single precise policy into several variations on a theme, but it remains the default browser content security policy framework. I will review SOP's vulnerabilities and its "patches" that were intended to mitigate those avenues of attack. I will close by suggesting an extension to SOP that labels scripts loaded cross-site with origins that are distinguishable from (yet related to) the origin of the including web page or application.
Presenters:
-
Brendan Eich
- Chief Technology Officer - Mozilla
Brendan Eich is CTO of Mozilla and widely recognized for his enduring contributions to the Internet revolution. In 1995, Eich invented JavaScript (ECMAScript), the Internet's most widely used programming language. He also co-founded the mozilla.org project in 1998, serving as chief architect. Eich helped launch the award winning Firefox Web browser in November 2004 and Thunderbird e-mail client in December 2004. Today, Eich's central focus is guiding the future technical work to keep Mozilla vital and competitive. In the greater Web community, Eich remains dedicated to driving innovation in Internet technology with his work in JavaScript and with the Mozilla platform.In August 2005, Eich became CTO of Mozilla. He has also been a board member of the Mozilla Foundation since its inception in 2003. He holds a bachelor of science in math and computer science from Santa Clara University and a master of science in computer science from the University of Illinois. Eich and his wife have five children.
Links:
Similar Presentations: