'Standard' webpage composition patterns:
- script tag: full 3rd party integration
- iframe tag: more robust (+ sandboxed keyword)
Solutions for security:
- use a secure subset of Javascript (e.g. ADSafe, Facebook JS, etc.)
- browser sandboxing (e.g. WebJail)
- Serverside Tranformation of scripts (Google Caja, BrowserShield, etc.)
Risk examples of 3rd party integrations: (research)
- stale domain names -> re-register & abuse
- typo squatting: e.g. googlesyndicatio.com (without the 'n') triggered a lot of hits
JSand presentation:
- prototype
- aims
- complete JS mediation
- backwards compatibility
- reasonable performance
- components:
- policies for 3rd party scripts
- isolate JS through Google Secure EcmaScript library ("use strict" directive)
- Proxy wrapper for domain access
- AST transformations through Uglify lib
- CORS / UMP headers
- Serversside JS Proxy
- nice demo, very early preview.
No comments:
Post a Comment