Download Web Same-Origin-Policy

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts
no text concepts found
Transcript 
Web Same-Origin-Policy Lab
Zutao Zhu
11/06/2009
Outline
• Background
• Setting
• SOP
Background
•
•
•
•
•
Document Object Model (DOM)
Cookie
XMLHttpRequest
HTML
LiveHTTPHeaders extension for Firefox
DOM
• The Document Object Model (DOM) is a
cross-platform and language-independent
convention for representing and interacting
with objects in HTML, XHTML and XML
documents. – from wiki
Cookie
• Cookies are placeholders for serverprovided data in the web browser typically
used to track sessions.
• Each cookie is a key-value pair such as
"color=green" and may have some
optional attributes.
• Web applications can create a cookie in
the web browser using the set-cookie
header in the HTTP response.
Cookie (cont.)
• After cookies are created, web browsers attach
the cookies in all the subsequent requests to the
web application.
• In a JavaScript program, All the cookies in the
web application can be referenced using
document.cookie object.
• In cookie-based session-management schemes,
web applications store the session identifier in a
cookie in the web browser.
Use Live HTTP Header (tools)
XMLHttpRequest
• XMLHttpRequest has an important role in the
AJAX web development technique. – from wiki
• http://www.w3.org/TR/XMLHttpRequest/
• <script>
xhr = new XMLHttpRequest();
xhr.open(POST,"http://www.originalphpbb.co
m/posting.php",true);
xhr.send(null);
</script>
HTML
• http://www.w3schools.com/TAGS/tag_a.as
p
– frame
– iframe
– img
–a
LiveHTTPHeaders
• Observe the post request
• Observe the response
• Observe the cookie
Setting
• about:config in address bar of Firefox
SOP
• Origin: <protocol, domain, port>
– Protocol: http://, file://, ftp://, etc.
– Domain: microsoft.com, google.com, etc.
– Port: 80, 8080, 21, 3128, etc.
• The SOP identifies each web site using its origin,
and creates a context for each origin.
• For each origin, the web browser creates a
context and stores the resources of the web
application from the origin in the context.
• JavaScript programs from one origin are not
allowed to access resources from another origin.
Examples
• checks against the URL
"http://www.example.com/dir/page.html". - from wiki
Resources for SOP
•
•
•
•
•
Cookie
History
URL
Contents
Etc.
URL
• When in URL bar, I input some cross
domain web page, can you use “forward”
and “backward”?
• Is the URL showing?
Tags do not honor SOP
• Find out by yourself!
Reference
• http://wikipedia.org/
• http://www.w3.org/TR/2008/WDXMLHttpRequest2-20080930/
• http://getfirebug.com/
Related documents