Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Slides:

Advertisements

Similar presentations

HbbTV Hybrid broadcast broadband TV EBU / ETSI Hybrid Broadcast Broadband Workshop Amsterdam, 9 th September, 2009.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

4.01 How Web Pages Work.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

CompSci Applets & Video Games. CompSci Applets & Video Games The Plan  Applets  Demo on making and running a simple applet from scratch.

Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Chapter 14 Introduction to HTML

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

© 2006 by IBM 1 How to use Eclipse to Build Rich Internet Applications With PHP and AJAX Phil Berkland IBM Software Group Emerging.

Web Design Basic Concepts.

Client/Server Architectures

Presented by…. Group 2 1. Programming language 2Introduction.

HTTP: cookies and advertising Concepts to cover:  web page content (including ads) from multiple site: composition at client  cookies  third-party cookies:

HTML 5 New Standardization of HTML. I NTRODUCTION HTML5 is The New HTML Standard, New Elements New Attributes Full CSS3 Support Video and Audio 2D/3D.

What is Web Design?  Web design is the creation of a Web page using hypertext or hypermedia to be viewed on the World Wide Web.

DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

Creating a Basic Web Page

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

SafeFrames: An Overview

Applets & Video Games 1 Last Edited 1/10/04CPS4: Java for Video Games Applets &

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

DHTML - Introduction Chapter Introduction to DHTML, the DOM, JS review.

XP Tutorial 6 New Perspectives on JavaScript, Comprehensive1 Working with Windows and Frames Enhancing a Web Site with Interactive Windows.

Introduction to Programming the WWW I CMSC Summer 2003 Lecture 7.

Building Rich Web Applications with Ajax Linda Dailey Paulson IEEE – Computer, October 05 (Vol.38, No.10) Presented by Jingming Zhang.

Session: 1. © Aptech Ltd. 2Introduction to the Web / Session 1  Explain the evolution of HTML  Explain the page structure used by HTML  List the drawbacks.

242/102/49 0/51/59 181/172/166 Primary colors 248/152/29 PMS 172 PMS 137 PMS 546 PMS /206/ /227/ /129/123 Secondary colors 114/181/204.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/

Introduction to HTML. _______________________________________________________________________________________________________________ 2 Outline Key issues.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

UNDERSTANDING YOUR OPTIONS FOR CLIENT-SIDE DEVELOPMENT IN OFFICE 365 Mark Rackley

AJAX Use Cases for WSRP Subbu Allamaraju BEA Systems Inc WSRP F2F Meeting, May 2006.

SHAREPOINT & JQUERY. Hi, my name and I am a product manager at lightning tools. I have been working with SharePoint for 5 years.

Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 

JavaScript and Ajax (JavaScript Environment) Week 6 Web site:

Website Update and Use of Official accounts Dr.Lasantha Ranwala ( MBBS,MSc-Biomedical Informatics) Medical Officer - Health Informatics RDHS Office.

Browser code isolation John Mitchell CS 155 Spring 2016.

The Internet Salihu Ibrahim Dasuki (PhD) CSC102 INTRODUCTION TO COMPUTER SCIENCE.

Enhance Your Page Load Speed And Improve Traffic.

Web Analytics Fundamentals Presented by Tejaswi, Chandrika, Sunil.

4.01 How Web Pages Work.

4.01 How Web Pages Work.

JQuery Fundamentals Introduction Tutorial Videos

Distributed Control and Measurement via the Internet

Ad-blocker circumvention System

Data Virtualization Tutorial… CORS and CIS

Office 365 Development July 2014.

Practical Censorship Evasion Leveraging Content Delivery Networks

Subbu Allamaraju BEA Systems Inc

HbbTV Hybrid broadcast broadband TV

Browser code isolation

AJAX Impact on Telecom It’s not just for web sites anymore.

AMP Cache Sandeep Davu.

Introduction to World Wide Web

4.01 How Web Pages Work.

Cross Site Request Forgery (CSRF)

Presentation transcript:

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft

Agenda Introduction: what is IAB? Use case SafeFrame Overview HTML5 Sandbox/CSP – Asks Next Steps and Q&A

Introduction: what is IAB? Interactive Advertising Bureau ●Membership-based trade organization, based in NYC ●Founded in 1996 ●Members are online media publishers ●Over 600 members in the US ●86% of digital advertising in US runs on IAB member sites ●IAB develops digital advertising & publishing standards How do our interests align? ●Ad content is served from 3 rd parties in real time ●Publishers are concerned with site and user security ●Most Web content is paid for by advertising & sponsorship ●We believe in the power of a “free” Web

Use case: Real time content serving Publisher Ad Server 3 Browser Ad Request 4 To exchange CDN 7 Asset Request 8 Asset Exchange 5 Ad Request 6 Ad Ad network 6a6a RFB RFBr Agency ad server DSP 6b6b 6c6c RFP RFPr 6d6d Publisher Web Server 1 Content request 2 Content

Publisher areas of concerns Isolation ●Separation between publisher and 3 rd party code ●Prevent data leakage – page content, cookies, other data ●Prevent JS and CSS collision Functional / UI ●Allow rich interactions without providing full access ●Restrict certain media types ●Control autoplay Ability to control other “attack surface areas” ●Prevent downloads ●Plugin activation ●Navigation ●Messaging ●.. Covered by Iframe+SafeFrame Topic of today’s discussion

SafeFrame Overview

What is SafeFrame? A cross domain IFRAME Standard definition of APIs between the top level browsing context and the content inside the IFRAME ●Said IFRAME MUST be a direct child of the top, it cannot be nested. API establishes functionality for ‘heavy interactions’ with the top level browsing context: ●Expand/Resize the Frame ●Draw additional elements ●Etc. Each piece of functionality can be allowed or disallowed by the top level browsing context API allows for some data sharing ●Geometric information ●Relevant DOM events

What is SafeFrame? External Content Host Content Domain Cross Domain (“agnostic”) IFRAME for 3 rd party content SafeFrame APIs Creates one or more IFRAME(s) using a Secondary agnostic origin ●But content is injected, rather than loaded from a given URL, mitigating the need for an HTTP request per IFRAME. ●Typically document URI for the IFRAME is a CDN (content delivery network) URI ●Document and it’s initial resources are cacheable 3 rd party content is typically free form HTML and JavaScript

How it Works PubSite.com SF Java Scrip t Tag

How it Works PubSite.com SF Java Scrip t Tag SF-iframe.com SF API

How it Works PubSite.com SF Java Scrip t Tag SF-iframe.com 3 rd party content SF API

How it Works PubSite.com SF Java Scrip t Tag SF-iframe.com SF API 3 rd Party Content

Proposed Extensions

HTML5 Sandbox and CSP Limitations (as we see it) ●Current sandbox attributes/directives are too coarse grain ●There are additional areas of control publishers desire Ask ●Enhancement to allow finer controls, i.e., ability to restrict ●Individual plug-ins (Sandbox) ●Allow / Deny access to a given IFRAME via JavaScript ●Downloads ●Alternate navigation

SafeFrame, Sandbox and CSP Desired FeatureCovered by HTML5 Sandbox? Included in by CSP 1.1? Comments allow-plugins NoYesHTML 5 sandbox plugin-typesNoYesSupport for enabling/disabling specific plugin types media-typesNo Restrict use of certain type of images, audio, video require-user- initiation No Prevent autoplay of audio/video without user initiation Prevent navigation without user initiation

SafeFrame, Sandbox and CSP Desired Feature Covered by HTML5 Sandbox? Included in by CSP 1.1? Comments file-downloadNoNo*Rule to allow / disallow using navigation or an iframe to load content that triggers a download restrict-scriptNo Javascript in an IFRAME restricted to itself regardless of origin Allow storage/cookie read/write force-self-nav- top/force-self- nav-new No Force navigation target to self or new message-srcNo Rule allowing/disallowing x- origin messaging

Next Steps Define details around the proposed extensions (write the spec) Communicate the proposal to W3C via the established processes - bugzilla items and spec extension draft Discuss other areas of collaboration

Thank You! Contacts ●Chris Mejia: ●Sean Snider: ●Prabhakar Goyal: References ●SafeFrame: ●Digital advertising ecosystem overview: