Today, some websites embed third-party code using iframes. This approach does not prevent a wide variety of attacks: redirection to phishing pages which could pretend to be a login page for the embedding application; stopping the browser from working until the user downloads malware; stealing history information about which sites a user has visited so that more target phishing attacks can be done; and port scanning the user's local network. Finally, even though a website can choose not to give data to an iframe app, once it has done so it can place no further restrictions on what the iframe app can do with it — it cannot stop the iframe app from sending that data elsewhere.
Caja addresses these problems which are not addressed by iframe jails; and it does so in a very flexible way. If a container wishes to allow an embedded application to use a particular web service, but not to send arbitrary network requests, then it can give the application an object that interacts with that web service, but deny access to XMLHttpRequest. Under Caja, passing objects grants authority, and denying access to objects denies authority, as is typical in an object-capability environment. Information leakage can be prevented by allowing user data to be encapsulated in objects that can be rendered in user-readable form but not read by scripts ; we can prevent leakage without solving the problem of covert channels.
No comments:
Post a Comment