2008 Poster Sessions : Securing Browser Frame Navigation and Communication

Student Name : Colin Jackson
Advisor : John Mitchell
Research Areas: Computer Systems
Web pages embed third-party content in frames, leveraging the browser's security policy to protect themselves from malicious content. Frames are often insufficient isolation primitives because most browsers are lenient and allow the framed content to interact with the rest of the page by navigating other frames. We evaluate current navigation policies, which we determine through extensive browser testing. Based on known and new attacks, we advocate a stricter navigation policy, which we implement and deploy in the open-source browsers. After examining frame isolation, we turn our attention to securing communication between frames. The first method we examine, navigation with fragment identifiers, provides confidentiality without authenticity, which we repair using concepts from a well-known network protocol. The second, postMessage, provides authentication but lacks confidentiality due to an attack we discover. We propose and deploy an improvement to postMessage that adds confidentiality.

Joint work with Adam Barth and John C. Mitchell.

Collin Jackson is a fourth-year Ph.D. student in the Department of Computer Science at Stanford University. His research on browser security includes topics in authentication, privacy, and mashup communication.