Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP."— Presentation transcript:

1 Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009

2 Outline Background Setting SOP

3 Background Document Object Model (DOM) Cookie XMLHttpRequest HTML LiveHTTPHeaders extension for Firefox

4 DOM The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. – from wiki cross-platformlanguageobjectsHTMLXHTMLXML

5 Cookie Cookies are placeholders for server- provided data in the web browser typically used to track sessions. Each cookie is a key-value pair such as "color=green" and may have some optional attributes. Web applications can create a cookie in the web browser using the set-cookie header in the HTTP response.

6 Cookie (cont.) After cookies are created, web browsers attach the cookies in all the subsequent requests to the web application. In a JavaScript program, All the cookies in the web application can be referenced using document.cookie object. In cookie-based session-management schemes, web applications store the session identifier in a cookie in the web browser.

7 Use Live HTTP Header (tools)

8 XMLHttpRequest XMLHttpRequest has an important role in the AJAX web development technique. – from wiki AJAX http://www.w3.org/TR/XMLHttpRequest/ xhr = new XMLHttpRequest(); xhr.open(POST,"http://www.originalphpbb.co m/posting.php",true); xhr.send(null);

9 HTML http://www.w3schools.com/TAGS/tag_a.as p –frame –iframe –img –a

10 LiveHTTPHeaders Observe the post request Observe the response Observe the cookie

11 Setting about:config in address bar of Firefox

12 SOP Origin: –Protocol: http://, file://, ftp://, etc. –Domain: microsoft.com, google.com, etc. –Port: 80, 8080, 21, 3128, etc. The SOP identifies each web site using its origin, and creates a context for each origin. For each origin, the web browser creates a context and stores the resources of the web application from the origin in the context. JavaScript programs from one origin are not allowed to access resources from another origin.

13 Examples checks against the URL "http://www.example.com/dir/page.html". - - from wikiURL

14 Resources for SOP Cookie History URL Contents Etc.

15 URL When in URL bar, I input some cross domain web page, can you use “forward” and “backward”? Is the URL showing?

16 Tags do not honor SOP Find out by yourself!

17 Reference http://wikipedia.org/ http://www.w3.org/TR/2008/WD- XMLHttpRequest2-20080930/http://www.w3.org/TR/2008/WD- XMLHttpRequest2-20080930/ http://getfirebug.com/

Download ppt "Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
1/7 ITApplications XML Module Session 8: Introduction to Programming with XML.

1/7 ITApplications XML Module Session 8: Introduction to Programming with XML.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Web 2.0 with AJAX Students : LASC Ioana KELEMEN Csilla POP Dan Adrian CIOBANU Dumitru Daniel Project leaders : Jean Luc LARBOT Ahmed RHIAT.

Web 2.0 with AJAX Students : LASC Ioana KELEMEN Csilla POP Dan Adrian CIOBANU Dumitru Daniel Project leaders : Jean Luc LARBOT Ahmed RHIAT.
Davis Dai. Introduction  Acronym for “asynchronous JavaScript and XML”  Combination of various technologies  Was not developed as an official standard.

Davis Dai. Introduction  Acronym for “asynchronous JavaScript and XML”  Combination of various technologies  Was not developed as an official standard.
Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.

Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.

HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
CSCI 323 – Web Development Chapter 1 - Setting the Scene We’re going to move through the first few chapters pretty quick since they are a review for most.

CSCI 323 – Web Development Chapter 1 - Setting the Scene We’re going to move through the first few chapters pretty quick since they are a review for most.
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.

Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
Unit 1 – Web Concepts Instructor: Brent Presley. ASSIGNMENT Read Chapter 1 Complete lab 1 – Installing Portable Apps.

Unit 1 – Web Concepts Instructor: Brent Presley. ASSIGNMENT Read Chapter 1 Complete lab 1 – Installing Portable Apps.
1 Session 1: Introduction to HTML Spring 2011. 2 Today’s Agenda Cover useful terminology for today’s session HTML, browsers, servers, etc. HTML Tags Get.

1 Session 1: Introduction to HTML Spring Today’s Agenda Cover useful terminology for today’s session HTML, browsers, servers, etc. HTML Tags Get.
CSE 154 LECTURE 12: COOKIES. Including files: include include(filename); PHP include(header.html); include(shared-code.php); PHP inserts the entire.

CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.

Similar presentations

Ads by Google