Protection and communication abstractions for web browsers

US 10,019,570 B2
Filed: 06/14/2007
Issued: 07/10/2018
Est. Priority Date: 06/14/2007
Status: Active Grant

First Claim

Patent Images

1. A system comprising at least one processor coupled to a non-transitory computer-readable storage medium storing instructions executable by the at least one processor to implement:

a browser configured to integrate first content from a first server associated with a first domain with second content comprising restricted content from a second server associated with a second domain different from the first domain;

a resource management component, at the browser, configured to provide a sandbox for the second content comprising the restricted content, wherein the resource management component is further configured to prevent the restricted content from directly accessing the first content from the first server associated with the first domain and yet allow the restricted content to communicate with the first content from the first server associated with the first domain using a messaging function implemented using browser-side communication across domains using a port-based naming scheme; and

wherein, the browser is further configured to isolate third content from a third server via a browser-side abstraction, different from the sandbox, and wherein the browser-side abstraction is configured to display at least a portion of the third content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methodologies for accessing resources associated with a Web-based application in accordance with one or more embodiments disclosed herein may include a browser that obtains at least first resources from a first domain and second resources from a second domain and a resource management component that facilitates controlled communication between the first resources and the second resources and prevents the first resources and the second resources from accessing other resources that the first resources and the second resources are not permitted to access. The resource management component may be further operable to contain restricted services in a sandbox containment structure and/or to isolate access-controlled resources in a service instance. In addition, the resource management component may be operable to facilitate the flexible display of resources from disparate domains and/or controlled communication therebetween.

344 Citations

20 Claims

1. A system comprising at least one processor coupled to a non-transitory computer-readable storage medium storing instructions executable by the at least one processor to implement:
- a browser configured to integrate first content from a first server associated with a first domain with second content comprising restricted content from a second server associated with a second domain different from the first domain;
  
  a resource management component, at the browser, configured to provide a sandbox for the second content comprising the restricted content, wherein the resource management component is further configured to prevent the restricted content from directly accessing the first content from the first server associated with the first domain and yet allow the restricted content to communicate with the first content from the first server associated with the first domain using a messaging function implemented using browser-side communication across domains using a port-based naming scheme; and
  
  wherein, the browser is further configured to isolate third content from a third server via a browser-side abstraction, different from the sandbox, and wherein the browser-side abstraction is configured to display at least a portion of the third content.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the sandbox is implemented using hypertext markup language (HTML) and a resource containment functionality provided by the browser.
  - 3. The system of claim 1, wherein the sandbox is configured to allow the first content to access the second content contained in the sandbox.
  - 4. The system of claim 1, wherein the browser is configured to allow a web application to create a new popup window.
  - 5. The system of claim 1, wherein the restricted content comprises a script.
  - 6. The system of claim 1, wherein the resource management component is further configured to provide a second sandbox for a third content, wherein the second sandbox is nested within the sandbox.
  - 7. The system of claim 1, wherein the first content further comprises untrusted user input, and wherein the resource management component is further configured to contain the untrusted user input in the sandbox.

8. A method implemented by at least one processor, the method comprising:
- obtaining content, via a browser, comprising restricted content from a server;
  
  at the browser, providing a sandbox for the content comprising the restricted content;
  
  using a browser-side resource management component, preventing the restricted content from directly accessing any non-sandboxed content and yet allowing the restricted content to communicate with the non-sandboxed content using a messaging function implemented using browser-side communication; and
  
  using a browser-side abstraction, different from the sandbox, isolating additional content obtained via the browser, wherein the browser-side abstraction is configured to display at least a portion of the additional content.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising implementing the sandbox using hypertext markup language (HTML) and a corresponding resource containment functionality.
  - 10. The method of claim 8, wherein the restricted content comprises a script.
  - 11. The method of claim 8, wherein the sandbox is enclosed within a browser page.
  - 12. The method of claim 8, further comprising the browser allowing a web application to create a new popup window.
  - 13. The method of claim 8 further comprising providing a second sandbox for a second content different from the content.
  - 14. The method of claim 8, wherein the content further comprises untrusted user input, and wherein the method further comprising containing the untrusted user input in the sandbox.

15. A non-transitory computer-readable medium storing instructions executable by a processor to:
- obtain content, via a browser, comprising a first restricted content and a second restricted content from a server; and
  
  at the browser, provide a first sandbox for the first restricted content and provide a second sandbox for the second restricted content, wherein each of the first sandbox and the second sandbox is implemented using hypertext markup language (HTML) and a resource containment functionality provided by the browser;
  
  using a browser-side resource management component;
  
  (1) prevent the first restricted content from directly accessing the second restricted content and yet allow the first restricted content to communicate with the second restricted content using a messaging function implemented using a port-based naming scheme and prevent the second restricted content from directly accessing the first restricted content and yet allow the second restricted content to communicate with the first restricted content using the messaging function implemented using the port-based naming scheme; and
  
  using a browser-side abstraction, wherein the browser-side abstraction is different from the sandbox, isolate additional content obtained via the browser, wherein the browser-side abstraction is configured to display at least a portion of the additional content.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the content further comprises untrusted user input, and wherein the non-transitory computer-readable medium further comprising instructions executable by the processor to contain the untrusted user input in the sandbox.
  - 17. The non-transitory computer-readable medium of claim 15, wherein the content further comprises a reply to a search query directed to a web server, and wherein the non-transitory computer-readable medium further comprising instructions executable by the processor to contain the reply to the search query in the sandbox.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the content further comprises a user profile comprising a script for a social networking website, and wherein the non-transitory computer-readable medium further comprising instructions executable by the processor to contain at least the script for the social networking website in the sandbox.
  - 19. The non-transitory computer-readable medium of claim 15, wherein the first restricted content comprises untrusted user input, and wherein the non-transitory computer-readable medium further comprising instructions executable by the processor to contain the untrusted user input in the first sandbox.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the second restricted content comprises a script, and wherein the non-transitory computer-readable medium further comprising instructions executable by the processor to contain the script in the second sandbox.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Wang, Jiahe Helen, Fan, Xiaofeng, Jackson, Collin Edward, Howell, Jonathan Ryan, Xu, Zhenbin
Primary Examiner(s)
Ho, Andy
Assistant Examiner(s)
Hoang, Phuong N

Application Number

US11/762,900
Publication Number

US 20080313648A1
Time in Patent Office

4,044 Days
Field of Search

726 2- 6, 726 12- 13, 726 22- 27, 713151-155, 713161, 713164-168
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1441   Countermeasures against mal...

Protection and communication abstractions for web browsers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

344 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protection and communication abstractions for web browsers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

344 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links