66 2007 2013 Marco Papa Ellis Horowitz Same Origin Policy for Java Much like

66 2007 2013 marco papa ellis horowitz same origin

This preview shows page 66 - 67 out of 67 pages.

66 © 2007-2013 Marco Papa & Ellis Horowitz
Image of page 66
Same-Origin Policy for Java Much like Adobe Flash, Java applets, reportedly supported on about 80% of all desktop systems, follow the basic concept of same-origin checks applied to a runtime context derived from the site the applet is downloaded from the following permissions are available to Java applets: The ability to interact with Javascript on the embedding page through the JSObject API, with no specific same-origin checks. This mechanism is disabled by default, but may be enabled with the MAYSCRIPT parameter within the <APPLET> tag. In some browsers, the ability to interact with the embedding page through the DOMService API. The documentation does not state what, if any, same-origin checks should apply; based on the aforementioned tests, no checks are carried out, and cross-domain embedding pages may be accessed freely with no need for MAYSCRIPT opt-in. This directly contradicts the logic of JSObject API. The ability to send same-origin HTTP requests using the browser stack via the URLConnection API, with virtually no security controls, including the ability to set Host headers, or insert conflicting caching directives. On the upside, it appears that there is no ability to read 30x redirect bodies or httponly cookies from within applets. The ability to initiate unconstrained TCP connections back to the originating host, and that host only, using the Socket API. These connections do not go through the browser, and are not subject to any additional security checks (e.g., ports 67 © 2007-2013 Marco Papa & Ellis Horowitz
Image of page 67

You've reached the end of your free preview.

Want to read all 67 pages?

  • Fall '07
  • Papa
  • Ajax, Marco Papa

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes