Communications - June 2009

acknowledgments

We thank Mike Beltzner, Sumeer Bhola, Dan Boneh, Gabriel E. Corvera, Ian Hickson, Koji Kato, Eric Lawrence, Erick Lee, David Lenoe, David Ross, Maciej Stachowiak, Hallvord Steen, Peleus Uhley, Jeff Walden, Sam Weinig, and Boris Zbarsky for their helpful suggestions and feedback. This work is supported by grants from the National Science Foundation and the US Department of Homeland Security.

References

1. burke, J. cross domain frame communication with fragment identifiers. http://tagneto.blogspot. com/2006/06/cross-domain-frame- communication-with.html.

2. crockford, D. the <module> tag. http://www.json.org/module.html.

3. Daswani, n., stoppelman, m. et al. the anatomy of clickbot.a. in Proceedings of the hotbots (2007).

4. Dhamija, r., tygar, J.D., hearst, m. Why phishing works. in chi ‘06: Proceedings of the sigchi conference on human factors in computing systems (2006).

5. eich, b. Javascript: mobility and ubiquity. http://kathrin.dagstuhl.de/ files/materials/07/07091/07091. eichbrendan.slides.pdf.

6. felten, e. W., balfanz, D., Dean, D., Wallach, D.s. Web spoofing: an internet con game. in Proceedings of the 20th national information systems security conference (1996).

7. guninski, g. frame spoofing using loading two frames. mozilla bug 13871.

8. hickson, i. re: a potential slight security enhancement to postmessage, februrary 2008. http:// lists.whatwg.org/pipermail/whatwg- whatwg.org/2008-february/013949. html.

9. hickson, i. re: htmL5 frame navigation policy, april 2008. http:// lists.whatwg.org/pipermail/whatwg- whatwg.org/2008-april/014597.html.

10. hickson, i. et al. htmL 5 Working Draft. http://www.whatwg.org/specs/ web-apps/ current-work/.

11. Jackson, c., barth, a. beware of finer-grained origins. in Proceedings of the Web 2.0 security and Privacy (W2sP) (2008).

12. Jackson, c., barth, a., bortz, a., shao, W., boneh, D. Protecting browsers from Dns rebinding attacks. in

Proceedings of of the 14th acm conference on computer and communications security (ccs) (2007).

13. Jackson, c., Wang, h.J. subspace: secure cross-domain communication for web mashups. in Proceedings of the 16th international World Wide Web conference (WW W) (2007).

14. De keukelaere, f., bhola, s., steiner, m., chari, s., yoshihama, s. smash: secure cross-domain mashups on unmodified browsers. in Proceedings of the 17th international World Wide Web conference (WWW) (2008). to appear.

15. Lowe, g. breaking and fixing the needham–schroeder public-key protocol using fDr. in Proceedings of tacas (volume 1055, 1996), springer Verlag.

16. microsoft. security attribute (frame, iframe). http://msdn2. microsoft.com/en-us/library/ ms534622(Vs. 85.)aspx.

17. needham, r.m., schroeder, m.D. using encryption for authentication in large networks of computers. commun. acm, 21, 12 (1978), 993–999.

18. ross, D., January 2008. Personal communication.

19. ruderman, J. Javascript security: same origin. http://www.mozilla.org/ projects/security/components/ same-origin.html.

20. stuttard, D., Pinto, m. the Web application hacker’s handbook. Wiley, 2007.

21. thorpe, D. secure cross-domain communication in the browser. archit. J. 12 (2007), 14–18.

22. Wang, h.J., fan, x., howell, J., Jackson, c. Protection and communication abstractions for web browsers in mashupos. in Proceedings of the 21st acm symposium on operating systems Principles (sosP) (2007).

adam Barth ( abarth@eecs.berkeley.edu), uc berkeley.

Collin Jackson
( collinj@cs.stanford.edu),
stanford university.

John C. mitchell ( mitchell@cs.stanford.edu), stanford university.

ACM Transactions on

Internet Technology

◆◆◆◆◆ This quarterly publication encompasses many disciplines in computing—including computer software engineering, middleware, database management, security, knowledge discovery and data mining, networking and distributed systems, communications, and performance and scalability—all under one roof. TOIT brings a sharper focus on the results and roles of the individual disciplines and the relationship among them. Extensive multi-disciplinary coverage is placed on the new application technologies, social issues, and public policies shaping Internet development.