Saturday, October 1, 2011

Foundations: Origin

Every discussion of the security architecture of the web platform should begin with the notion of an origin.  An origin is the basic unit of isolation in the web platform.  Every object in the browser is associated with an origin, which defines its security context.  When a script running in one origin tries to access an object, the browser checks whether the script's origin has access to the object's origin.

So what is an origin?  Simply put, an origin is the scheme, host, and port of the URL associated with the object.  (Hence the name of this blog.)  For example, if you're viewing an article on New York Times in your browser, that article (and all of its associated objects) are in the http://www.nytimes.com origin.  This blog exists in the http://www.schemehostport.com origin, which means there is a security boundary between this blog and the New York Times.  Of course, there are many subtleties to that security boundary, which we'll get to in due course.

Many folks have written about the browser's origin-based security model, which is often referred to as the same-origin policy because, in the usual case, the browser allows one object to access another if the two objects are in "the same" origin.

If you'd like to learn more about the same-origin policy, one popular reference is Jesse Ruderman's wiki page, but, despite origin's central role in web security, there isn't a specification explaining how the same-origin policy works!  To fix that, I've been working with the IETF's websec working group to write a specification of the web origin concept.  There are still a handful of issues to address, but hopefully finish working through the IETF process soon.

1 comment:

  1. Once you get past the high level, the most thorough public description of the many different 'definitions' of SOP that I am aware of is from Michal Zalewski's browser security document:
    http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

    It's possible that some points there might be out of date, but I don't know that anyone is keeping track closely.

    Notably, that document shows that even a specification containing a straightforward formulation of the SOP will not have all major browsers in compliance (and I doubt that will change). Also, there will remain important differences in the details of how it is applied.

    ReplyDelete