Presentation is loading. Please wait.

Presentation is loading. Please wait.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Published byBennett Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft."— Presentation transcript:

1 Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft

2 Agenda Introduction: what is IAB? Use case SafeFrame Overview HTML5 Sandbox/CSP – Asks Next Steps and Q&A

3

4 Introduction: what is IAB? Interactive Advertising Bureau ●Membership-based trade organization, based in NYC ●Founded in 1996 ●Members are online media publishers ●Over 600 members in the US ●86% of digital advertising in US runs on IAB member sites ●IAB develops digital advertising & publishing standards How do our interests align? ●Ad content is served from 3 rd parties in real time ●Publishers are concerned with site and user security ●Most Web content is paid for by advertising & sponsorship ●We believe in the power of a “free” Web

5 Use case: Real time content serving Publisher Ad Server 3 Browser Ad Request 4 To exchange CDN 7 Asset Request 8 Asset Exchange 5 Ad Request 6 Ad Ad network 6a6a RFB RFBr Agency ad server DSP 6b6b 6c6c RFP RFPr 6d6d Publisher Web Server 1 Content request 2 Content

6 Publisher areas of concerns Isolation ●Separation between publisher and 3 rd party code ●Prevent data leakage – page content, cookies, other data ●Prevent JS and CSS collision Functional / UI ●Allow rich interactions without providing full access ●Restrict certain media types ●Control autoplay Ability to control other “attack surface areas” ●Prevent downloads ●Plugin activation ●Navigation ●Messaging ●.. Covered by Iframe+SafeFrame Topic of today’s discussion

7 SafeFrame Overview

8 What is SafeFrame? A cross domain IFRAME Standard definition of APIs between the top level browsing context and the content inside the IFRAME ●Said IFRAME MUST be a direct child of the top, it cannot be nested. API establishes functionality for ‘heavy interactions’ with the top level browsing context: ●Expand/Resize the Frame ●Draw additional elements ●Etc. Each piece of functionality can be allowed or disallowed by the top level browsing context API allows for some data sharing ●Geometric information ●Relevant DOM events

9 What is SafeFrame? External Content Host Content Domain Cross Domain (“agnostic”) IFRAME for 3 rd party content SafeFrame APIs Creates one or more IFRAME(s) using a Secondary agnostic origin ●But content is injected, rather than loaded from a given URL, mitigating the need for an HTTP request per IFRAME. ●Typically document URI for the IFRAME is a CDN (content delivery network) URI ●Document and it’s initial resources are cacheable 3 rd party content is typically free form HTML and JavaScript

10 How it Works PubSite.com SF Java Scrip t Tag

11 How it Works PubSite.com SF Java Scrip t Tag SF-iframe.com SF API

12 How it Works PubSite.com SF Java Scrip t Tag SF-iframe.com 3 rd party content SF API

13 How it Works PubSite.com SF Java Scrip t Tag SF-iframe.com SF API 3 rd Party Content

14 Proposed Extensions

15 HTML5 Sandbox and CSP Limitations (as we see it) ●Current sandbox attributes/directives are too coarse grain ●There are additional areas of control publishers desire Ask ●Enhancement to allow finer controls, i.e., ability to restrict ●Individual plug-ins (Sandbox) ●Allow / Deny access to a given IFRAME via JavaScript ●Downloads ●Alternate navigation

16 SafeFrame, Sandbox and CSP Desired FeatureCovered by HTML5 Sandbox? Included in by CSP 1.1? Comments allow-plugins NoYesHTML 5 sandbox plugin-typesNoYesSupport for enabling/disabling specific plugin types media-typesNo Restrict use of certain type of images, audio, video require-user- initiation No Prevent autoplay of audio/video without user initiation Prevent navigation without user initiation

17 SafeFrame, Sandbox and CSP Desired Feature Covered by HTML5 Sandbox? Included in by CSP 1.1? Comments file-downloadNoNo*Rule to allow / disallow using navigation or an iframe to load content that triggers a download restrict-scriptNo Javascript in an IFRAME restricted to itself regardless of origin Allow storage/cookie read/write force-self-nav- top/force-self- nav-new No Force navigation target to self or new message-srcNo Rule allowing/disallowing x- origin messaging

18 Next Steps Define details around the proposed extensions (write the spec) Communicate the proposal to W3C via the established processes - bugzilla items and spec extension draft Discuss other areas of collaboration

19 Thank You! Contacts ●Chris Mejia: chris.mejia@iab.netchris.mejia@iab.net ●Sean Snider: ssnider@yahoo-inc.comssnider@yahoo-inc.com ●Prabhakar Goyal: pgoyal@microsoft.compgoyal@microsoft.com References ●SafeFrame: http://www.iab.net/safeframehttp://www.iab.net/safeframe ●Digital advertising ecosystem overview: https://www.youtube.com/watch?v=1C0n_9DOlwE https://www.youtube.com/watch?v=1C0n_9DOlwE

Download ppt "Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft."

Similar presentations

HbbTV Hybrid broadcast broadband TV EBU / ETSI Hybrid Broadcast Broadband Workshop Amsterdam, 9 th September, 2009.

HbbTV Hybrid broadcast broadband TV EBU / ETSI Hybrid Broadcast Broadband Workshop Amsterdam, 9 th September, 2009.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
4.01 How Web Pages Work.

4.01 How Web Pages Work.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
CompSci 4 6.1 Applets & Video Games. CompSci 4 6.2 Applets & Video Games The Plan  Applets  Demo on making and running a simple applet from scratch.

CompSci Applets & Video Games. CompSci Applets & Video Games The Plan  Applets  Demo on making and running a simple applet from scratch.
Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.

Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.

Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Chapter 14 Introduction to HTML

Chapter 14 Introduction to HTML
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
© 2006 by IBM 1 How to use Eclipse to Build Rich Internet Applications With PHP and AJAX Phil Berkland IBM Software Group Emerging.

© 2006 by IBM 1 How to use Eclipse to Build Rich Internet Applications With PHP and AJAX Phil Berkland IBM Software Group Emerging.
Web Design Basic Concepts.

Web Design Basic Concepts.
Client/Server Architectures

Client/Server Architectures
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.

Similar presentations

Ads by Google