Endpoint segregation to prevent scripting attacks
First Claim
Patent Images
1. A system, comprising:
- a static content endpoint server implemented by one or more hardware computing devices, wherein the static content endpoint server is configured to;
receive a content page request from a client application;
generate a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint; and
provide the content page response to the client application from a static content endpoint that is distinct from the active content endpoint;
an active content endpoint server implemented by one or more hardware computing devices, wherein the active content endpoint server is configured to;
receive a loader request from the client application for the active content loader, wherein the active content loader is configured to execute at the client application to download, from the active content endpoint, one or more active content files for active content specified for the content page and a filtering pipe for the active content specified for the content page, wherein the filtering pipe is configured to execute at the client application to filter parameters for methods of the active content files prior to the methods executing at the client application;
generate a loader response to the loader request, wherein the loader response comprises the active content loader and a second policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint;
provide the loader response to the client application from the active content endpoint;
receive, from the active content loader at the client application, an active content request for the one or more active content files for active content specified for the content page;
generate an active content response to the active content request, wherein the active content response comprises the one or more active content files and the second policy setting that instructs the client application to not execute any active content for the content page unless the source of the active content is the active content endpoint; and
provide the active content response to the client application from the active content endpoint.
1 Assignment
0 Petitions
Accused Products
Abstract
A secure and efficient technique to prevent cross-site scripting attacks based on segregating the content within a given content page among independent endpoints, or servers, where static content is provided from one endpoint and active content is provided from another endpoint. Together, the different endpoints make up an endpoint segregation system. Further, security features of HTTP/HTML are used to restrict sources from which active content may be executed according to the division of static and active content among the endpoints of the endpoint segregation system.
-
Citations
20 Claims
-
1. A system, comprising:
-
a static content endpoint server implemented by one or more hardware computing devices, wherein the static content endpoint server is configured to; receive a content page request from a client application; generate a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint; and provide the content page response to the client application from a static content endpoint that is distinct from the active content endpoint; an active content endpoint server implemented by one or more hardware computing devices, wherein the active content endpoint server is configured to; receive a loader request from the client application for the active content loader, wherein the active content loader is configured to execute at the client application to download, from the active content endpoint, one or more active content files for active content specified for the content page and a filtering pipe for the active content specified for the content page, wherein the filtering pipe is configured to execute at the client application to filter parameters for methods of the active content files prior to the methods executing at the client application; generate a loader response to the loader request, wherein the loader response comprises the active content loader and a second policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint; provide the loader response to the client application from the active content endpoint; receive, from the active content loader at the client application, an active content request for the one or more active content files for active content specified for the content page; generate an active content response to the active content request, wherein the active content response comprises the one or more active content files and the second policy setting that instructs the client application to not execute any active content for the content page unless the source of the active content is the active content endpoint; and provide the active content response to the client application from the active content endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method, comprising:
-
performing by one or more servers of a static content endpoint, in response to receiving a content page request from a client application; generating a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not execute any active content for the content page unless sourced from the active content endpoint; providing the content page response to the client application from a static content endpoint that is distinct from the active content endpoint; and performing by one or more servers of the active content endpoint; in response to receiving a loader request from the client application for the active content loader; generating a loader response to the loader request, wherein the active content loader is configured to execute at the client application to download, from the active content endpoint, one or more active content files for active content specified for the content page and a filtering pipe for the active content specified for the content page, and wherein the loader response comprises the active content loader and a second policy setting that instructs the client application to not execute any active content for the content page unless sourced from the active content endpoint; and providing the loader response to the client application from the active content endpoint; and in response to receiving an active content request from the active content loader at the client application; generating an active content response to the active content request, wherein the active content request specifies one or more active content files for active content specified for the content page, and wherein the active content response comprises the one or more active content files and the second policy setting; and providing the active content response to the client application from the active content endpoint. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A method, comprising:
- performing, by one or more computer devices;
receiving, from one or more servers for a static content endpoint, a page and a first policy setting, wherein the page includes static content for a requested content page and an active content source reference that instructs a client application to download an active content loader from a particular active content endpoint that is distinct from the static content endpoint, and wherein the first policy setting instructs the client application to not execute any active content for the content page unless a source of the active content is the particular active content endpoint; applying the first policy setting to prevent execution of any active content for the content page unless a source of active content is the particular active content endpoint; downloading, based at least in part on the active content source reference in the page, the active content loader and a second policy setting from the particular active content endpoint; applying the second policy setting to prevent execution of any active content for the content page unless a source of active content is the particular active content endpoint; and executing the active content loader, wherein said executing the active content loader comprises; downloading, from one or more servers of the particular active content endpoint, a filtering pipe and one or more active content files for active content specified for the content page; and executing the filtering pipe, wherein said executing the filtering pipe comprises filtering parameters for one or more methods of the one or more active content files prior to executing the one or more methods to generate active content for the content page. - View Dependent Claims (18, 19, 20)
- performing, by one or more computer devices;
Specification