Secure cross-document messaging scheme based on HTML5

doi:10.7523/j.issn.1002-1175.2013.01.019

Abstract

Abstract:

We analyze security risk of the current cross-document messaging methods based on HTML5 and propose a secure cross-document messaging scheme SafePM. In SafePM, white list, two-way detection, and auto-detecting are developed to limit maliciously messaging. Moreover, with the detection of the message content, SafePM eliminates information leakage and tampering and reduce the risk for executing of cross-site scripts, which makes cross-document messaging more secure.

Key words: HTML5, cross-document messaging, white list, two-way detection, SafePM

CLC Number:

TP393

LI Xiao-Yu, ZHANG Yu-Qing, LIU Qi-Xu, ZHENG Chen. Secure cross-document messaging scheme based on HTML5[J]. , 2013, 30(1): 124-130.

References

[1] Barth A, Jackson C, Mitchell J C. Securing frame communication in browsers[C]//Proceedings of the 17th USENIX Security Symposium. San Jose, CA, USA,2008:17-30.

[2] The World Wide Web Consortium (W3C).W3C editor's draft[EB/OL]. (2011-11-20)[2011-11-25]. http://dev.w3.org/html5 /postmsg/#dom-messageevent-source.

[3] Alman B. jQuery postMessage: Cross-domain scripting goodness[EB/OL]. (2009-08-23)[2011-11-20]. http://benalman. com/projects/jquery-postmessage-plugin/.

[4] Kinsey Φ S. Easy cross-site scripting using the easyXDM library[EB/OL].(2009-08-17)[2011-11-25]. http://www.codeproject.com/Articles/37622/Easy-Cross-site-Scripting-using-the-easyXDM-Library.

[5] Matono A, Nakamura A, Kojima I. A mashup tool for cross-domain Web applications using HTML5[J]. Lecture Notes in Computer Science, 2011, 6612:382-385.

[6] Ryck P D, Desmet L, Philippaerts P, et al. A security analysis of next generation Web standards[R/OL].Greece: European Network and Information Security Agency (ENISA), (2011-07-31)[2011-11-25]. http://www.enisa.europa.eu/activities/application-security/web-security/.

[7] Hickson I. HTML living standard . USA:The Web Hypertext Application Technology Working Group, (2009-10-23)[2011-11-25]http://www.whatwg.org/specs/web-apps/current-work/multipage/web-messaging.html#crossDocumentMess ages.

[8] Hanna S, Shin E C R, Akhawe D, et al. The emperor’s new APIs: on the (in)secure usage of new client-side primitives[C]//Proceedings of the 4th Web 2.0 Security and Privacy. Oakland, California, USA, 2010.

[9] Saxena P, Hanna S, Poosankam P, et al. FLAX:systematic discovery of client-side validation vulnerabilities in rich Web applications[C]//Proceedings of the 17th Annual Network & Distributed System Security Symposium. San Diego, Califonia, USA, 2010.

[10] Edwards D. Packer version 3.0[CP/OL]. (2007-04-01)[2011-11-20]. http://dean.edwards.name/weblog/2007/04/packer3/.

[11] Heiderich M. HTML5 security cheatsheet[EB/OL].(2011-01-22)[2011-11-20].http://html5sec.org/.

[1]	DAI Zhiming, ZHOU Mingtuo, YANG Yang, LI Jian, LIU Jun. Fog computing resource scheduling in intelligent factories [J]. Journal of University of Chinese Academy of Sciences, 2021, 38(5): 702-711.
[2]	LIU Ting, LUO Xiliang. Online task offloading in mobile edge computing [J]. Journal of University of Chinese Academy of Sciences, 0, (): 21542-21542.
[3]	ZHU Zhaowei, LIU Ting, QIAN Hua, LUO Xiliang. Online task offloading in non-stationary fog-enabled networks [J]. , 2020, 37(5): 699-707.
[4]	LAI Xunfei, LIANG Xuwen, XIE Zhuochen, LI Zongwang. Intrusion detection method based on entity embedding and long short-term memory networks [J]. , 2020, 37(4): 553-561.
[5]	ZHAO Ze, XU Youyu, TANG Liang, BU Zhiyong. Internet traffic classification based on the improved one-versus-one method [J]. , 2020, 37(4): 570-576.
[6]	XUE Kaiping, LIU Bin, LI Wei, HONG Peilin. A format feature extracting and classifying algorithm for unknown data link frame [J]. , 2018, 35(4): 521-528.
[7]	TIAN Jie, WANG Weiqiang, SUN Yi. Recognition of overlaid Chinese characters in videos without binarization [J]. , 2018, 35(3): 402-408.
[8]	YE Yanling, FU Xiaotong, ZHANG Yuqing, YUE Hongzhou. An automated and directed testing technique for target behavior of Android application [J]. , 2018, 35(3): 409-416.
[9]	YAN Zhitao, FANG Binxing, LIU Qixu, CUI Xiang. A wireless router-based lightweight defense framework for IoT devices [J]. , 2017, 34(6): 759-770.
[10]	WANG Kaiyong, DENG Yu. Identification of spatial connection intensity of Zhongyuan urban agglomeration based on microblogging [J]. , 2016, 33(6): 775-782.
[11]	YAN Shujun, WANG Wenjie, ZHANG Yuqing. An efficient method of web fingerprint identification [J]. , 2016, 33(5): 679-685.
[12]	HOU Jinzhong, ZHANG Libo, LUO Tiejian. A distributed storage method of balancing video resources [J]. , 2016, 33(5): 686-692.
[13]	CAO Laicheng, ZHAO Jianjun, CUI Xiang, LI Ke. Cyberspace device identification based on K-means with cosine distance measure [J]. , 2016, 33(4): 562-569.
[14]	WU Jingzheng, WU Yanjun, WU Zhifei, YANG Mutian, LUO Tianyue, WANG Yongji. An Android privacy leakage malicious application detection approach based on directed information flow [J]. , 2015, 32(6): 807-815.
[15]	DONG Ying, ZHANG Yuqing, YUE Hongzhou. Vulnerability exploitation for Joomla content management system [J]. , 2015, 32(6): 825-835.