OWASP AppSecUSA 2012: The Same-Origin Saga

Speaker: Brendan Eich I created what became known as the browser "Same-Origin Policy" (SOP) under duress for Netscape 2, 3, and 4 in the mid-nineties.SOP was intended to preserve the integrity of a user/website session against interference from untrusted other sites. As the web evolved, SOP split from a single precise policy into several variations on a theme, but it remains the default browser content security policy framework. I will review SOP's vulnerabilities and its "patches" that were intended to mitigate those avenues of attack. I will close by suggesting an extension to SOP that labels scripts loaded cross-site with origins that are distinguishable from (yet related to) the origin of the including web page or application. For more information visit: http://bit.ly/AppSec12_USA_information To download the video visit: http://bit.ly/AppSec12_USA_videos Playlist OWASP AppSec USA 2011: http://bit.ly/AppSec12_USA_playlist