Hello, I’m Sunava Dutta and I’m the Program Manager focused on improving our AJAX <http://code.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=ie8 whitepapers&ReleaseId=581> scenarios in IE8. In this short post I’ll introduce you to a feature we’re implementing in the browser that enables safer mashups. The Same Origin Policy (SOP) requires that browsers prevent script from accessing the contents of another domain to prevent cross site script attacks. Web sites today, like Facebook and Live <http://home.live.com/> among others, allow users to drag and drop third party ‘gadgets’ or applications to their page. As the BBC <http://news.bbc.co.uk/2/low/programmes/click_online/7375772.stm> News reports, there are many challenges to doing so safely. These components are usually embedded third party scripts. Unfortunately these third party scripts run with the same privileges as the parent page and can potentially access personal data, cookies and other credentials. Attempts are currently underway to secure such script based applications. Other forms of embedding applications exist such as inserting the gadget in an IFrame, however while these are secure they can’t communicate with the page and aren’t as useful.
In order to allow rich mashup scenarios where components can exchange information and permissions with the parent page, the IE team and other members of the HTML 5.0 Working Group are developing a cross document messaging feature. Communication using strings is enabled by a postMessage <http://msdn.microsoft.com/en-us/library/cc197015%28VS.85%29.aspx> method. Hosting pages or gadgets are advised to check the origin domain of the content before inserting it in its DOM. For more details, please refer to our MSDN <http://msdn.microsoft.com/en-us/library/cc511311%28VS.85%29.aspx> Dev Center Article on cross document messaging. Sunava Dutta Program Manager [Ph4nt0m] <http://www.ph4nt0m.org/> [Ph4nt0m Security Team] <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] Email: [EMAIL PROTECTED] PingMe: <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> === V3ry G00d, V3ry Str0ng === === Ultim4te H4cking === === XPLOITZ ! === === #_# === #If you brave,there is nothing you cannot achieve.# --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
