Method and system for improved internet security via HTTP-only cookies
First Claim
1. In a computing environment, a method comprising:
- receiving a request to access a cookie, the request originating from unsafe content;
determining whether the cookie is protected by evaluating information associated with the cookie; and
if the information indicates the cookie is protected, denying the request.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method that prevents certain cookies, as specified by an Internet server, from being accessed through client-side script, thereby mitigating the amount of damage that cross-site scripting attacks can accomplish. The server marks selected cookies with an attribute that flags such cookies as being protected, and a security mechanism in the client prevents protected cookies from being accessed via script. A protected (flagged) cookie can still be accessed by the server, (e.g., via HTTP), while non-flagged cookies can be accessed by the server or script. An API or similar layer implements the security mechanism that that checks for the attribute, and fails requests for any cookies having that attribute set. The present invention can also be adapted to prevent a malicious script from overwriting existing HTTP-only cookies on a client machine.
-
Citations
22 Claims
-
1. In a computing environment, a method comprising:
-
receiving a request to access a cookie, the request originating from unsafe content;
determining whether the cookie is protected by evaluating information associated with the cookie; and
if the information indicates the cookie is protected, denying the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a computing environment, a system comprising:
-
a transport component that receives a response from a web site, the response including unsafe content;
a browser component that parses and interprets the unsafe content received via the transport component, including invoking an engine to execute code present in the unsafe content, the code requesting access to a cookie; and
a security mechanism operably connected to the browser component, the security mechanism configured to determine whether the cookie is accessible to the unsafe content based on information associated with the cookie, the security mechanism further configured to deny access to the cookie when the information indicates that the cookie is not accessible to the unsafe content. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable medium having computer-executable instructions for performing a method, comprising:
-
receiving a response from a web site;
interpreting content in the response, including invoking a script engine to run script present in the content;
receiving a request originating in the script to return a cookie, and in response, calling a function to return the cookie in response; and
determining whether the cookie is protected from script access by evaluating information associated with the cookie, and a) if the information indicates the cookie is not protected, returning the cookie in response to the request; and
b) if the information indicates the cookie is protected, denying the request. - View Dependent Claims (20, 21, 22)
-
Specification