Web SameOriginPolicy Lab Zutao Zhu 11062009 Outline Background

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009

Outline • Background • Setting • SOP

Background • • • Document Object Model (DOM) Cookie XMLHttp. Request HTML Live. HTTPHeaders extension for Firefox

DOM • The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. – from wiki

Cookie • Cookies are placeholders for serverprovided data in the web browser typically used to track sessions. • Each cookie is a key-value pair such as "color=green" and may have some optional attributes. • Web applications can create a cookie in the web browser using the set-cookie header in the HTTP response.

Cookie (cont. ) • After cookies are created, web browsers attach the cookies in all the subsequent requests to the web application. • In a Java. Script program, All the cookies in the web application can be referenced using document. cookie object. • In cookie-based session-management schemes, web applications store the session identifier in a cookie in the web browser.

Use Live HTTP Header (tools)

XMLHttp. Request • XMLHttp. Request has an important role in the AJAX web development technique. – from wiki • http: //www. w 3. org/TR/XMLHttp. Request/ • <script> xhr = new XMLHttp. Request(); xhr. open(POST, "http: //www. originalphpbb. co m/posting. php", true); xhr. send(null); </script>

HTML • http: //www. w 3 schools. com/TAGS/tag_a. as p – frame – img –a

Live. HTTPHeaders • Observe the post request • Observe the response • Observe the cookie

Setting • about: config in address bar of Firefox

SOP • Origin: <protocol, domain, port> – Protocol: http: //, file: //, ftp: //, etc. – Domain: microsoft. com, google. com, etc. – Port: 80, 8080, 21, 3128, etc. • The SOP identifies each web site using its origin, and creates a context for each origin. • For each origin, the web browser creates a context and stores the resources of the web application from the origin in the context. • Java. Script programs from one origin are not allowed to access resources from another origin.

Examples • checks against the URL "http: //www. example. com/dir/page. html". - from wiki

Resources for SOP • • • Cookie History URL Contents Etc.

URL • When in URL bar, I input some cross domain web page, can you use “forward” and “backward”? • Is the URL showing?

Tags do not honor SOP • Find out by yourself!

Reference • http: //wikipedia. org/ • http: //www. w 3. org/TR/2008/WDXMLHttp. Request 2 -20080930/ • http: //getfirebug. com/