Securing resources from untrusted scripts behind firewalls
First Claim
1. A method for protecting internal resources against an untrusted script originated from an external server, said script being executed in a security sandbox behind a network firewall, said method- comprising the steps of:
- said untrusted script requesting to access an internal resource at an internal server;
said security sandbox loading a plurality of script control definitions, said plurality of script control definitions comprising allowable request types and script originations;
said security sand box validating said plurality of script control definitions;
said security sandbox verifying the type of request is allowed in said plurality of script control definitions;
said security sandbox verifying the origination of said untrusted script is allowed in said plurality of script control definitions; and
said security sandbox allowing said untrusted script to access said internal resource.
8 Assignments
0 Petitions
Accused Products
Abstract
The invention provides a new mechanism which is used to protect all internal resources against requests from sandboxed scripts. In the preferred embodiment, the mechanism is implemented for SOAP calls by untrusted scripts. When an attempt is made to access a resource at a previously-unknown URI, the sandbox reads a file at that domain with declarations to determine whether access is permitted to the script. If the file is not found, the access is denied.
51 Citations
38 Claims
-
1. A method for protecting internal resources against an untrusted script originated from an external server, said script being executed in a security sandbox behind a network firewall, said method- comprising the steps of:
-
said untrusted script requesting to access an internal resource at an internal server;
said security sandbox loading a plurality of script control definitions, said plurality of script control definitions comprising allowable request types and script originations;
said security sand box validating said plurality of script control definitions;
said security sandbox verifying the type of request is allowed in said plurality of script control definitions;
said security sandbox verifying the origination of said untrusted script is allowed in said plurality of script control definitions; and
said security sandbox allowing said untrusted script to access said internal resource. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for protecting internal resources against an untrusted script originated from an external server, said script being executed in a security sandbox behind a network firewall, said method comprising the steps of:
-
said untrusted script requesting to access an internal resource at a request URI;
said security sandbox loading a script control definition from a declaration file at the root directory of said request URI, said script control definition comprising allowable request types and script originations; and
said security sand box validating said script control definition at said root directory;
wherein, when said request URI is not a subdirectory, said method further comprising the steps;
said security sandbox verifying that the type of request is allowed in said script control definition at said root directory;
said security sandbox verifying that the origination of said untrusted script is allowed in said script control definition at said root directory; and
said security sandbox allowing said untrusted script to access said internal resource. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 37)
-
-
22. A system for protecting internal resources against untrusted scripts, comprising:
-
an untrusted script originated from an external server;
a security sandbox wherein said untrusted script are executed behind a network firewall; and
an internal server serving internal resources, said internal server further comprising a plurality of script control definitions defined in a plurality of declaration files;
wherein said untrusted script requests to access an internal resource at said internal server via a request URI;
wherein said security sandbox loads a script control definition from a declaration file at the root directory of said request URI, said script control definition comprising allowable request types and script originations; and
wherein said security sand box validates said script control definition at said root directory. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38)
-
Specification