acknowledgments
We thank Mike Beltzner, Sumeer Bhola, Dan Boneh, Gabriel
E. Corvera, Ian Hickson, Koji Kato, Eric Lawrence, Erick Lee,
David Lenoe, David Ross, Maciej Stachowiak, Hallvord Steen,
Peleus Uhley, Jeff Walden, Sam Weinig, and Boris Zbarsky
for their helpful suggestions and feedback. This work is supported by grants from the National Science Foundation and
the US Department of Homeland Security.
References
1. burke, J. cross domain frame
communication with fragment
identifiers. http://tagneto.blogspot.
com/2006/06/cross-domain-frame-
communication-with.html.
2. crockford, D. the <module> tag.
http://www.json.org/module.html.
3. Daswani, n., stoppelman, m. et al.
the anatomy of clickbot.a. in
Proceedings of the hotbots (2007).
4. Dhamija, r., tygar, J.D., hearst,
m. Why phishing works. in chi
‘06: Proceedings of the sigchi
conference on human factors in
computing systems (2006).
5. eich, b. Javascript: mobility and
ubiquity. http://kathrin.dagstuhl.de/
files/materials/07/07091/07091.
eichbrendan.slides.pdf.
6. felten, e. W., balfanz, D., Dean, D.,
Wallach, D.s. Web spoofing: an
internet con game. in Proceedings
of the 20th national information
systems security conference (1996).
7. guninski, g. frame spoofing using
loading two frames. mozilla bug
13871.
8. hickson, i. re: a potential
slight security enhancement to
postmessage, februrary 2008. http://
lists.whatwg.org/pipermail/whatwg-
whatwg.org/2008-february/013949.
html.
9. hickson, i. re: htmL5 frame
navigation policy, april 2008. http://
lists.whatwg.org/pipermail/whatwg-
whatwg.org/2008-april/014597.html.
10. hickson, i. et al. htmL 5 Working
Draft. http://www.whatwg.org/specs/
web-apps/
current-work/.
11. Jackson, c., barth, a. beware of finer-grained origins. in Proceedings of the
Web 2.0 security and Privacy (W2sP)
(2008).
12. Jackson, c., barth, a., bortz, a., shao,
W., boneh, D. Protecting browsers
from Dns rebinding attacks. in
Proceedings of of the 14th acm
conference on computer and
communications security (ccs)
(2007).
13. Jackson, c., Wang, h.J. subspace:
secure cross-domain communication
for web mashups. in Proceedings
of the 16th international World
Wide Web conference (WW W) (2007).
14. De keukelaere, f., bhola, s., steiner,
m., chari, s., yoshihama, s. smash:
secure cross-domain mashups on
unmodified browsers. in Proceedings
of the 17th international World Wide
Web conference (WWW) (2008). to
appear.
15. Lowe, g. breaking and fixing the
needham–schroeder public-key
protocol using fDr. in Proceedings of
tacas (volume 1055, 1996), springer
Verlag.
16. microsoft. security attribute
(frame, iframe). http://msdn2.
microsoft.com/en-us/library/
ms534622(Vs. 85.)aspx.
17. needham, r.m., schroeder, m.D.
using encryption for authentication
in large networks of computers.
commun. acm, 21, 12 (1978),
993–999.
18. ross, D., January 2008. Personal
communication.
19. ruderman, J. Javascript security:
same origin. http://www.mozilla.org/
projects/security/components/
same-origin.html.
20. stuttard, D., Pinto, m. the Web
application hacker’s handbook.
Wiley, 2007.
21. thorpe, D. secure cross-domain
communication in the browser.
archit. J. 12 (2007), 14–18.
22. Wang, h.J., fan, x., howell,
J., Jackson, c. Protection and
communication abstractions
for web browsers in mashupos.
in Proceedings of the 21st
acm symposium on operating
systems Principles (sosP)
(2007).
adam Barth
( abarth@eecs.berkeley.edu),
uc berkeley.
Collin Jackson
( collinj@cs.stanford.edu),
stanford university.
John C. mitchell
( mitchell@cs.stanford.edu),
stanford university.
© 2009 acm 0001-0782/09/0600 $10.00
ACM Transactions on
Internet Technology
◆◆◆◆◆
This quarterly publication encompasses many disciplines
in computing—including computer software engineering,
middleware, database management, security, knowledge discovery and data mining, networking and distributed systems,
communications, and performance and scalability—all under
one roof. TOIT brings a sharper focus on the results and roles
of the individual disciplines and the relationship among
them. Extensive multi-disciplinary coverage is placed on the
new application technologies, social issues, and public policies
shaping Internet development.
◆◆◆◆◆
http://toit.acm.org/