Developing Secure Widgets: Secure iFrame Communication in a Pre-postMessage World

The web is replete with “widgets” embedded into sites but hosted by external parties (witness: Google Maps, Facebook Social Plugins). Some of the best uses of these widgets require the various widgets to communicate with the embedding site or even with each other. Without a secure communication channel, though, these widgets can expose sensitive information or capabilities to malicious parties eavesdropping, spoofing, or manipulating that communication.

window.postMessage() [1] gives modern browsers a secure and convenient communication channel. Unfortunately, a significant portion of internet users are browsing with non-modern browsers [2].

The traditional method of communicating between iframes is via updating the target frame’s URL fragment (a.k.a. #hash). This method can be made secure, but naive implementations (of which there are legion) are open to spoofing and eavesdropping.

This talk will describe the Needham-Schroeder-Lowe protocol, a well-known security protocol, and show the protocol’s ability to secure the traditional #hash communication channel against spoofing and eavesdropping attacks.

The information in this talk is based on research by Adam Barth, Collin Jackson, and John C. Mitchell of Standford University’s Web Security Group [3].

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html
[2] A brief flip through Wikipedia suggests about 10% of the web browsing population uses Internet Explorer 6 or 7.
[3] http://seclab.stanford.edu/websec/frames/post-message.pdf

About the Speaker:
Rising from the depths of the Quantum Information halls of Caltech, mdawaffe has been using WordPress since 2004 and a Contributing Developer since 2006. Enjoys late night conversations about obscure code, long debugging sessions on the beach, and candlelit security reviews.