Sessions at WordCamp San Francisco 2011 about iframes and Security

Saturday 13th August 2011

• Developing Secure Widgets: Secure iFrame Communication in a Pre-postMessage World

  by Mike J. Adams

  The web is replete with “widgets” embedded into sites but hosted by external parties (witness: Google Maps, Facebook Social Plugins). Some of the best uses of these widgets require the various widgets to communicate with the embedding site or even with each other. Without a secure communication channel, though, these widgets can expose sensitive information or capabilities to malicious parties eavesdropping, spoofing, or manipulating that communication.

  window.postMessage() [1] gives modern browsers a secure and convenient communication channel. Unfortunately, a significant portion of internet users are browsing with non-modern browsers [2].

  The traditional method of communicating between iframes is via updating the target frame’s URL fragment (a.k.a. #hash). This method can be made secure, but naive implementations (of which there are legion) are open to spoofing and eavesdropping.

  This talk will describe the Needham-Schroeder-Lowe protocol, a well-known security protocol, and show the protocol’s ability to secure the traditional #hash communication channel against spoofing and eavesdropping attacks.

  The information in this talk is based on research by Adam Barth, Collin Jackson, and John C. Mitchell of Standford University’s Web Security Group [3].

  [1] http://www.whatwg.org/specs/web-...
  [2] A brief flip through Wikipedia suggests about 10% of the web browsing population uses Internet Explorer 6 or 7.
  [3] http://seclab.stanford.edu/webse...

  • iframes
  • Security
  • Widgets

  At 10:30am to 11:15am, Saturday 13th August

  Coverage video