Back to all updates

over 7 years ago

A Radical Trend: SciVerse Gadget Programming and Same Origin Policy

One of the fundamental security concepts for coding a gadget on SciVerse or any other OpenSocial container, in a mashup with third party open APIs for instance, is the same origin policy for browser side programming. The same origin policy prevents documents loaded on one page to be accessed by pages on another domain, port and protocol.

There are two basic threats to be considered: the user session being accessed maliciously and phishing for user credentials like usernames and passwords.

There is some flexibility for scripts to access the document of another domain. Parent domain name traversal is the option for scripts on one page to access documents in another page in a different subdomain within the same parent domain. This is possible through a script changing the document.domain value. Country domains like co.uk are vulnerable in this aspect, if the browser in question restricts only access to the domain.tld (tld=top level domain) portion of the host name and does not protect a domain name ending in co.uk for instance. Also external scripts included on the page can allow access to the page’s document, bypassing the same origin policy.

Browser side hacking comes in a few variations. Cross-site request forgery (CSRF, XSRF, or cross-site reference forgery) uses an established session with user credentials to submit a malicious form within the scope of the existing session. Cross-site scripting (XSS) embeds scripts into data that is send to the user, and there are other possible attacks.

Why is same origin policy relevant to SciVerse gadgets or OpenSocial gadgets programming? The main reason is that gadgets are essentially IFRAMEs running on a page. The use of IFRAMEs is another way to bypass the same origin policy and include a third party domain to embed scripts in a page. Many gadgets intend to mashup code from different domains. The trend in Web2.0 to mashup data from different sources in a gadget within an opensocial container is a radical break with the origins of same origin policy that was designed as the foundation of internet and browser security.

Links:

https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript

http://code.google.com/p/browsersec/wiki/Part1

http://code.google.com/p/browsersec/wiki/Part2