SlideShare a Scribd company logo

Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy

Download as PPTX, PDF
S
subbul

This document discusses cross-origin resource sharing (CORS) and content security policy (CSP) as techniques to improve security in web applications. It begins by explaining the need for the same-origin policy and how CORS helps address limitations of SOP by allowing controlled cross-origin requests. It then discusses cross-site scripting (XSS) attacks and how CSP helps prevent XSS by allowing web applications to restrict resources that can be loaded or executed.

TechnologyDesign
1 of 18
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Same Origin Policy Cross-Origin Resource Sharing Content Security Policy subbul@gmail.com
Agenda • • • • Need for SOP How CORS help SOP What is XSS? How CSP helps preventing XSS
Why Same Origin Policy ? • What if your personal data you are entering in a “Bank” page in Browser is accessible to another Page in the browser Instance
What is Same Origin Policy • This is a Browser Mechanism to allow trusted pages/scripts • To Prevent HTML/JS Application from different window, domain accessing the DOM, data of Application current domain or “Origin” • Thanks to Same Origin Policy (SOP), Browser prevents loading or blocks request for DOM access, execution of script from “Origin/Domain” other than “Self” • More Details
What are allowed in SOP? • SOP cannot prevent cross site content inclusions (like images, scripts, css from different domain • http://www.google.com/page1 can access http://www.google.com/page2 • http://www.google.com/page1 cannot access http://www.yahoo.com as the two pages belong to different domain • <script> is allowed by SOP [file:// ??] • In a http://www.mypage.com page, you can include<script src= http://api.google.com/googleplus >. • Google API page scripts are executed in “Mypage” domain, HTML Application, it will still have access to “Mypage” DOM elements. So, if the “Google API scripts” are compromised, it will have bad effect on the “MyPage” (Will take it to XSS- Cross Site Scripting)
What is not allowed in SOP? • AJAX (XHR) from One domain to another • XHR request from “MyPage.com” to “Google.com” • Why it is not allowed? – Using AJAX you can download a malicious JS code and could spoil the current page information or could derive information from current page and send it over maliciously to remote pages
How to circumvent SOP • • • • Simple suggestion DO NOT USE ( unless it’s the End of the World) Document.domain PostMessage JSONP • Right Way – CORS (Cross-Origin Resource Sharing)
Cross-Origin Resource Sharing • CORS is to overcome SOP for XHR • Allowing Cross Origin Request from Domain A to Domain B using XHR • Introduction of new HTTP Headers (Origin) from Server to make Browser decide to Allow Cross-Origin request or not • Use Pre-flight (handshake) OPTIONS request for methods other than POST/GET to know if the server supports, allow-origin for your request More Detail
How CORS works?
CORS HTTP Request/Response Headers HTTP Request/ ResponseHeader Parameter Description Example Access-Control-AllowOrigin: <origin> | * Specifying a particular “domain” is allowed or “*” all Access-Control-AllowOrigin: http://mozilla.com Access-Control-AllowCredentials True| false Request for cookie along with request Access-ControlRequest-Method GET,POST Request for supported HTTP methods Access-Control-AllowHeaders Content-Type| Custom-Header Preflight-request headers
CORS Server/Browser Request /Response Flow http://www.html5rocks.com/static/images/cors_server_flowchart.png
XSS (Cross Site Scripting) • Finding Vulnerability of Web Pages and injecting and injecting malicious client side- script . • Types – Non-Persistent (server Echo’s back your request) – Adding malicious scripts in HTML Forms, HTTP Query from web browser during a search request. If the “String” is not formatted/escaped, the injected script will be executed back in client browser. – E.g., • Phishing Attacks, • URL Shortens (bit.ly ) taking to legitimate page and injecting their “script” along with it
XSS (Cross Site Scripting) – Persistent (Server stores the data and script) – Storing user provided “string” as is without escaping the HTML, JS code in Webserver and serving later to all users will cause the malicious script to execute on client browser – Message Boards, which include Plain Text and Scripts, later when another user reloads the Message Board, the malicious code executes and steals user data – Defacing web servers, cookie/session stealing
Examples • http://www.insecurelabs.org/Task/Rule1 • http://www.insecurelabs.org • https://www.owasp.org/index.php/Testing_for_Reflected_Cros s_site_scripting_(OWASP-DV-001)
How to Prevent XSS • • • • • Validation/Sanitization of ALL user inputs in a page No inline please, keep it safe in a dedicated JS Secure all input path, query string, file path etc Don’t keep untrusted data in your HTML, JS This is one of the reason, you find forms in organization preventing <, > etc  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Pre vention_Cheat_Sheet • And of course CSP (Content Security Policy)
Content Security Policy (CSP) • It’s a policy how Browser/UserAgent adhere to as a directive from HTTP Server in order to display, execute scripts • New HTTP Headers introduced to enable CSP • Content-Security-Policy: script-src 'self' Trusted Source https://abc.MyWebpage.com Resource Trusted Source
Content Security Policy • If a malicious code is injected through XSS (added <script src=“hackedsite.com”>), browser will detect and prevent • More XSS prevention by • 'unsafe-inline' prevents inline JavaScript and CSS • 'unsafe-eval' prevents text-to-JavaScript mechanisms like eval • Default-src “none” (Shut down any other script, img, media load beyond my own) • Other resources which can be controlled by CSP are font-src,img-src etc – – – – http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://erlend.oftedal.no/blog/csp/readiness/ http://people.mozilla.org/~bsterne/content-security-policy/details.html https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465
Thank You

More Related Content

PPT
Same origin policy
Vivek Madurai
 
PDF
Javascript cross domain communication
ChenKuo Chen
 
PDF
Cross site calls with javascript - the right way with CORS
Michael Neale
 
PPTX
Web Security - Cookies, Domains and CORS
Perfectial, LLC
 
PPTX
CORS - Enable Alfresco for CORS
Jared Ottley
 
PPTX
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Evan J Johnson (Not a CISSP)
 
PDF
Cross-domain requests with CORS
Vladimir Dzhuvinov
 
PDF
CORS and (in)security
n|u - The Open Security Community
 
Same origin policy
Vivek Madurai
 
Javascript cross domain communication
ChenKuo Chen
 
Cross site calls with javascript - the right way with CORS
Michael Neale
 
Web Security - Cookies, Domains and CORS
Perfectial, LLC
 
CORS - Enable Alfresco for CORS
Jared Ottley
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Evan J Johnson (Not a CISSP)
 
Cross-domain requests with CORS
Vladimir Dzhuvinov
 
CORS and (in)security
n|u - The Open Security Community
 

What's hot (20)

PPT
Breaking The Cross Domain Barrier
Alex Sexton
 
PDF
RESTful Web Services
Christopher Bartling
 
PDF
Basic web architecture
Ralu Mihordea
 
PPTX
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
PPTX
01. http basics v27
Eoin Keary
 
KEY
Modernizr, Yepnope, and Polyfills
Alex Sexton
 
PDF
Your rest api using laravel
Sulaeman .
 
PDF
Building Awesome APIs with Lumen
Kit Brennan
 
PDF
Cors kung fu
Aditya Balapure
 
PDF
Cors michael
Michael Neale
 
PPTX
Web Architecture
sudip pudasaini
 
PDF
Basic Introduction About API Web Service
Hiraq Citra M
 
PDF
Design Web Service API by HungerStation
ArabNet ME
 
ODP
PHP BASIC PRESENTATION
krutitrivedi
 
PDF
REST in peace @ IPC 2012 in Mainz
Alessandro Nadalin
 
KEY
REST Easy - Building RESTful Services in Zend Framework
Chris Weldon
 
PDF
Data normalization weaknesses
Ivan Novikov
 
PDF
SOAP-based Web Services
Katrien Verbert
 
PDF
Your first sitemap.xml and robots.txt implementation
Jérôme Verstrynge
 
PPTX
Robots.txt and Sitemap.xml Creation
Jahid Hasan
 
Breaking The Cross Domain Barrier
Alex Sexton
 
RESTful Web Services
Christopher Bartling
 
Basic web architecture
Ralu Mihordea
 
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
01. http basics v27
Eoin Keary
 
Modernizr, Yepnope, and Polyfills
Alex Sexton
 
Your rest api using laravel
Sulaeman .
 
Building Awesome APIs with Lumen
Kit Brennan
 
Cors kung fu
Aditya Balapure
 
Cors michael
Michael Neale
 
Web Architecture
sudip pudasaini
 
Basic Introduction About API Web Service
Hiraq Citra M
 
Design Web Service API by HungerStation
ArabNet ME
 
PHP BASIC PRESENTATION
krutitrivedi
 
REST in peace @ IPC 2012 in Mainz
Alessandro Nadalin
 
REST Easy - Building RESTful Services in Zend Framework
Chris Weldon
 
Data normalization weaknesses
Ivan Novikov
 
SOAP-based Web Services
Katrien Verbert
 
Your first sitemap.xml and robots.txt implementation
Jérôme Verstrynge
 
Robots.txt and Sitemap.xml Creation
Jahid Hasan
 
Ad

Similar to Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy (20)

PDF
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
PPTX
Lesson 6 web based attacks
Frank Victory
 
PPTX
Browser Security 101
Stormpath
 
PDF
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
PPTX
Browser Internals-Same Origin Policy
Krishna T
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PPTX
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PDF
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PPTX
Web security for app developers
Pablo Gazmuri
 
PPTX
Security vulnerabilities - 2018
Marius Vorster
 
PPTX
Conquering CORS. Taming Cross-Origin Resource Sharing.
Tony Nazarov
 
PPTX
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
arfaouisalim
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
PDF
Flashack
n|u - The Open Security Community
 
PPT
A privacy-preserving defense mechanism against attacks
tahucampur
 
PDF
Chrome extensions threat analysis and countermeasures
Roel Palmaers
 
PDF
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Lesson 6 web based attacks
Frank Victory
 
Browser Security 101
Stormpath
 
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Browser Internals-Same Origin Policy
Krishna T
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Building Secure User Interfaces With JWTs
robertjd
 
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
JWT Authentication with AngularJS
robertjd
 
Web security for app developers
Pablo Gazmuri
 
Security vulnerabilities - 2018
Marius Vorster
 
Conquering CORS. Taming Cross-Origin Resource Sharing.
Tony Nazarov
 
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
arfaouisalim
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
Flashack
n|u - The Open Security Community
 
A privacy-preserving defense mechanism against attacks
tahucampur
 
Chrome extensions threat analysis and countermeasures
Roel Palmaers
 
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
Ad

Recently uploaded (20)

PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Approach and Philosophy of On baking technology
30anthuong17
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Encapsulation theory and applications.pdf
gurumoop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 

Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy

  • 1. Same Origin Policy Cross-Origin Resource Sharing Content Security Policy subbul@gmail.com
  • 2. Agenda • • • • Need for SOP How CORS help SOP What is XSS? How CSP helps preventing XSS
  • 3. Why Same Origin Policy ? • What if your personal data you are entering in a “Bank” page in Browser is accessible to another Page in the browser Instance
  • 4. What is Same Origin Policy • This is a Browser Mechanism to allow trusted pages/scripts • To Prevent HTML/JS Application from different window, domain accessing the DOM, data of Application current domain or “Origin” • Thanks to Same Origin Policy (SOP), Browser prevents loading or blocks request for DOM access, execution of script from “Origin/Domain” other than “Self” • More Details
  • 5. What are allowed in SOP? • SOP cannot prevent cross site content inclusions (like images, scripts, css from different domain • http://www.google.com/page1 can access http://www.google.com/page2 • http://www.google.com/page1 cannot access http://www.yahoo.com as the two pages belong to different domain • <script> is allowed by SOP [file:// ??] • In a http://www.mypage.com page, you can include<script src= http://api.google.com/googleplus >. • Google API page scripts are executed in “Mypage” domain, HTML Application, it will still have access to “Mypage” DOM elements. So, if the “Google API scripts” are compromised, it will have bad effect on the “MyPage” (Will take it to XSS- Cross Site Scripting)
  • 6. What is not allowed in SOP? • AJAX (XHR) from One domain to another • XHR request from “MyPage.com” to “Google.com” • Why it is not allowed? – Using AJAX you can download a malicious JS code and could spoil the current page information or could derive information from current page and send it over maliciously to remote pages
  • 7. How to circumvent SOP • • • • Simple suggestion DO NOT USE ( unless it’s the End of the World) Document.domain PostMessage JSONP • Right Way – CORS (Cross-Origin Resource Sharing)
  • 8. Cross-Origin Resource Sharing • CORS is to overcome SOP for XHR • Allowing Cross Origin Request from Domain A to Domain B using XHR • Introduction of new HTTP Headers (Origin) from Server to make Browser decide to Allow Cross-Origin request or not • Use Pre-flight (handshake) OPTIONS request for methods other than POST/GET to know if the server supports, allow-origin for your request More Detail
  • 10. CORS HTTP Request/Response Headers HTTP Request/ ResponseHeader Parameter Description Example Access-Control-AllowOrigin: <origin> | * Specifying a particular “domain” is allowed or “*” all Access-Control-AllowOrigin: http://mozilla.com Access-Control-AllowCredentials True| false Request for cookie along with request Access-ControlRequest-Method GET,POST Request for supported HTTP methods Access-Control-AllowHeaders Content-Type| Custom-Header Preflight-request headers
  • 11. CORS Server/Browser Request /Response Flow http://www.html5rocks.com/static/images/cors_server_flowchart.png
  • 12. XSS (Cross Site Scripting) • Finding Vulnerability of Web Pages and injecting and injecting malicious client side- script . • Types – Non-Persistent (server Echo’s back your request) – Adding malicious scripts in HTML Forms, HTTP Query from web browser during a search request. If the “String” is not formatted/escaped, the injected script will be executed back in client browser. – E.g., • Phishing Attacks, • URL Shortens (bit.ly ) taking to legitimate page and injecting their “script” along with it
  • 13. XSS (Cross Site Scripting) – Persistent (Server stores the data and script) – Storing user provided “string” as is without escaping the HTML, JS code in Webserver and serving later to all users will cause the malicious script to execute on client browser – Message Boards, which include Plain Text and Scripts, later when another user reloads the Message Board, the malicious code executes and steals user data – Defacing web servers, cookie/session stealing
  • 14. Examples • http://www.insecurelabs.org/Task/Rule1 • http://www.insecurelabs.org • https://www.owasp.org/index.php/Testing_for_Reflected_Cros s_site_scripting_(OWASP-DV-001)
  • 15. How to Prevent XSS • • • • • Validation/Sanitization of ALL user inputs in a page No inline please, keep it safe in a dedicated JS Secure all input path, query string, file path etc Don’t keep untrusted data in your HTML, JS This is one of the reason, you find forms in organization preventing <, > etc  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Pre vention_Cheat_Sheet • And of course CSP (Content Security Policy)
  • 16. Content Security Policy (CSP) • It’s a policy how Browser/UserAgent adhere to as a directive from HTTP Server in order to display, execute scripts • New HTTP Headers introduced to enable CSP • Content-Security-Policy: script-src 'self' Trusted Source https://abc.MyWebpage.com Resource Trusted Source
  • 17. Content Security Policy • If a malicious code is injected through XSS (added <script src=“hackedsite.com”>), browser will detect and prevent • More XSS prevention by • 'unsafe-inline' prevents inline JavaScript and CSS • 'unsafe-eval' prevents text-to-JavaScript mechanisms like eval • Default-src “none” (Shut down any other script, img, media load beyond my own) • Other resources which can be controlled by CSP are font-src,img-src etc – – – – http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://erlend.oftedal.no/blog/csp/readiness/ http://people.mozilla.org/~bsterne/content-security-policy/details.html https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465