table 1: security properties of frame communication channels.
Fragment identifier messaging ✓
Public Key Encryption
Public Key Signatures
We discover an attack on this protocol, related to Lowe’s
anomaly in the Needham–Schroeder protocol,
which a malicious gadget can impersonate the integrator to the Contacts gadget. We suggested a solution
based on Lowe’s improvement to the Needham–
Schroeder protocol15 that Microsoft implemented and
• postMessage is a browser API designed for interframe
communication10 that is implemented in Internet
Explorer 8, Firefox 3, Safari 4, Google Chrome, and
Opera. Although postMessage has been deployed in
Opera since 2005, we demonstrate an attack on the
channel’s confidentiality using frame navigation. In
light of this attack, the postMessage channel provides authentication but lacks confidentiality, analogous to a channel in which senders cryptographically
sign their messages. To secure the channel, we propose
modifying the API. Our proposal has been adopted
by the HTML 5 working group and all the major
The remainder of the paper is organized as follows.
Section 2 details our threat models. Section 3 surveys existing frame navigation policies and standardizes a secure
policy. Section 4 analyzes two frame communication mechanisms, demonstrates attacks, and proposes defenses.
Section 5 describes related work. Section 6 concludes.
2. thReat mODeL
In this section, we define precise threat models so that we
can determine how effectively browser mechanisms defend
against specific classes of attacks. We consider two kinds
of attackers, a “Web attacker” and a slightly more powerful
“gadget attacker.” Although phishing
4, 6 can be described
informally as a Web attack, we do not assume that either the
Web attacker or the gadget attacker can fool the user by using
a confusing domain name (such as bankofthevvest.
com) or by other social engineering. Instead, we assume the
user uses every browser security feature, including the location bar and lock icon, accurately and correctly.
2. 1. Web attacker
A Web attacker is a malicious principal who owns one or
more machines on the network. To study the browser security policy, we assume that the user’s browser renders content from the attacker’s Web site.
• network abilities: The Web attacker has no special network abilities. In particular, the Web attacker can send
and receive network messages only from machines
84 COmmuniCatiOns Of the aCm | June 2009 | VoL. 52 | no. 6
under his or her control, possibly acting as a client or
server in network protocols of the attacker’s choice.
Typically, the Web attacker uses at least one machine
as an HTTP server, which we refer to as attacker.
com. The Web attacker has HTTPS certificates for
domains he or she owns; certificate authorities provide
such certificates for free. The Web attacker’s network
abilities are decidedly weaker than the usual network
attacker considered in network security because the
Web attacker can neither eavesdrop on messages to nor
forge messages from other network locations. For
example, a Web attacker cannot be a network “
• Client abilities: We assume that the user views
attacker.com in a popular browser, rendering the
attacker’s content. We make this assumption because
an honest user’s interaction with an honest site should
be secure even if the user visits a malicious site in
another browser window. The Web attacker’s content is
subject to the browser’s security policy, making the
Web attacker decidedly weaker than an attacker who
can execute an arbitrary code with the user’s privileges.
For example, a Web attacker cannot install a system-wide key logger or botnet client.
We do not assume that the user treats
a site other than
attacker.com. For example, the user
never gives a
bank.com password to
also assume that honest sites are free of cross-site scripting
20 In fact, none of the attacks described in
principal. Instead, we focus on privileges the browser itself
affords the attacker to interact with honest sites.
In addition to our interest in protecting users that
visit malicious sites, our assumption that the user visits
attacker.com is further supported by several techniques
for attracting users. For example, an attacker can place Web
advertisements, host popular content with organic appeal,
or send bulk e-mail encouraging visitors. Typically, simply
viewing an attacker’s advertisement (such as on a search
page) lets the attacker mount a Web attack. In a previous
12 we purchased over 50,000 impressions for $30.
During each of these impressions, a user’s browser rendered
our content, giving us the access required to mount a Web
Attacks accessible to a Web attacker have significant practical impact because these attacks do not require unusual
control of the network. Web attacks can also be carried out
by a standard man-in-the-middle network attacker, once the
user visits a single HTTP site, because a man-in-the-middle