The web is replete with “widgets” embedded into sites but hosted by external parties (witness: Google Maps, Facebook Social Plugins). Some of the best uses of these widgets require the various widgets to communicate with the embedding site or even with each other. Without a secure communication channel, though, these widgets can expose sensitive information or capabilities to malicious parties eavesdropping, spoofing, or manipulating that communication.
window.postMessage()  gives modern browsers a secure and convenient communication channel. Unfortunately, a significant portion of internet users are browsing with non-modern browsers .
The traditional method of communicating between iframes is via updating the target frame’s URL fragment (a.k.a. #hash). This method can be made secure, but naive implementations (of which there are legion) are open to spoofing and eavesdropping.
This talk will describe the Needham-Schroeder-Lowe protocol, a well-known security protocol, and show the protocol’s ability to secure the traditional #hash communication channel against spoofing and eavesdropping attacks.
The information in this talk is based on research by Adam Barth, Collin Jackson, and John C. Mitchell of Standford University’s Web Security Group .
12th–14th August 2011