a) Watch the talk from AppSec USA 2012 called “The Same-Origin Saga” given by Br

Question

a) Watch the talk from AppSec USA 2012 called “The Same-Origin Saga” given by Brendan Eich (the author of JavaScript). Ignoring much of the developer jargon, summarize why and how Mr. Eich implemented same origin and what issues were subsequently discovered.

b) Watch the talk from AppSec USA 2012 called “Origin(al) Sins” given by Alex Russell of Google. Again, ignoring much of the developer jargon, summarize the fundamental issues of browser security and how Google is attempting to address them.

c) Watch the talk from AppSec USA 2012 called “Securing JavaScript” given by Douglas Crockford author of JSON and JSLint. Again, ignoring much of the developer jargon, discuss the difficulty of writing secure JavaScript.

d) Describe any unexpected or interesting things you learned outside of what was asked above based on watching these talks.   Critique the talks and the speakers from your perspective.

Explanation / Answer

a) Eich created what became known as the browser "Same-Origin Policy" (SOP) under duress for Netscape 2, 3, and 4 in the mid-nineties.SOP was intended to preserve the integrity of a user/website session against interference from untrusted other sites. As the web evolved, SOP split from a single precise policy into several variations on a theme, but it remains the default browser content security policy framework. Eich reviews SOP's vulnerabilities and its "patches" that were intended to mitigate those avenues of attack. Eich closes by suggesting an extension to SOP that labels scripts loaded cross-site with origins that are distinguishable from (yet related to) the origin of the including web page or application.

B)

Alex Russell is this video talks about the XSS vulnerabilites. He says that the web has a Confused Deputy problem at the heart of many of our hardest security challenges. Tricking a browser or site into using latent credentials and authentication information for other parties and sites is the game and XSS is how it's played. With CSP, sandboxed iframes, and the next version of Chrome Apps, Google is tackling these the challenges for app authors head-on, making it easier than not to build secure apps and removing the potential for confusion by removing ambient authority itself. This talk explores why, how, and when we might finally improve the baseline security level of new apps.

C)

Crockford in his talk about the inseurities in javaScript that got introduced with the new features. He says that The Web platform is hopelessly insecure, yet surprisingly, JavaScript can be transformed into a secure programming language by the subtraction of a small set of features. The design of JavaScript was influenced by Scheme. JavaScript's schemishness is the key to its salvation.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.