can inject malicious content into the HTTP response, simulating a reply from
attacker.com.
2. 2. Gadget attacker
A gadget attacker is a Web attacker with one additional ability: the integrator embeds a gadget of the attacker’s choice.
This assumption lets us accurately evaluate mashup isolation and communication protocols because the purpose of
these protocols is to let an integrator embed untrusted gadgets safely. In practice, a gadget attacker can either wait for
the user to visit the integrator or can redirect the user to the
integrator’s Web site from
attacker.com.
3. fRame isOLatiOn
Web sites can use frames to delegate portions of their screen
real estate to other Web sites. For example, a site can sell
parts of their pages to adverting networks. The browser
displays the location of the main, or top-level, frame in its
location bar. Subframes are often visually indistinguishable
from other parts of a page, and the browser does not display
their location in its user interface.
3. 1. Background
The browser’s scripting policy answers the question “when
can one frame manipulate the contents of another frame?”
The scripting policy is the most important part of the
browser security policy because a frame can act on behalf of
every other frame it can script. For example,
even if it contains content from another origin. There are a
number of idioms for navigating frames, including
window.open(“ https://attacker.com/”, “frameName”);
which navigates a frame named frameName. Frame names
exist in a global name space that is shared across origins.
3. 2. Cross-window attacks
In 1999, Georgi Guninski discovered that the permissive
frame navigation policy admits serious attacks.
7 At the time,
the password field on the CitiBank login page was contained
within a frame, and the Web attacker could navigate that
frame to
https://attacker.com/, letting the attacker
fill the frame with identical-looking content that steals the
password. This cross-window attack proceeds as follows:
1. The user views a blog that displays the attacker’s ad.
2. Separately, the user visits
bank.com, which displays
its password field in a frame.
3. The advertisement navigates the password frame to
https://attacker.com/. The location bar remains
https://bank.com and the lock icon remains
present.
4. The user enters his or her
bank.com password into the
https://attacker.com/ frame on the
bank.com
page, submitting the password to
attacker.com.
otherWindow.document.forms[0]. password.value
attempts to read the user’s password from another window. Modern Web browsers let one frame read and write
all the properties of another frame only when their content was retrieved from the same origin, i.e. when the
scheme (e.g., http or https), host, and port of their locations match. If the content of other Window was retrieved
from a different origin, the browser’s security policy will
prevent the script above from accessing other Window.
document.
In addition to enforcing the scripting policy, every bro wser
must answer the question “when is one frame permitted to
navigate another frame?” Prior to 1999, all Web browsers
implemented a permissive policy:
Of the browsers in heavy use today, Internet Explorer 6 and
Safari 3 both implement the permissive policy and allow this
attack. Internet Explorer 7 and Firefox 2 implement stricter
policies (described in subsequent sections). Many Web sites,
including Google AdSense, display their password field in a
frame and are vulnerable to this attack; see Figure 1.
3. 3. same-window attacks
In 2001, Mozilla prevented the cross-window attack by
implementing a stricter policy:
Window Policy
A frame can navigate only frames in its window.
figure 1: Cross-window attack. the attacker hijacks the password
field, which is in a frame.
Permissive Policy
A frame can navigate any other frame.
For example, if other Window includes a frame,
otherWindow.frames[0].location =
“ https://attacker.com/”;
navigates the frame to
https://attacker.com/. Under
the permissive policy, the browser navigates other Window
