ACCESSING NETWORK RESOURCES OUTSIDE A SECURITY BOUNDARY

US 20080189757A1
Filed: 02/01/2007
Published: 08/07/2008
Est. Priority Date: 02/01/2007
Status: Active Grant

First Claim

Patent Images

1. At a computer system connected to a network, the computer system including a host environment with a network based application running inside a security boundary of the host environment, an originating computer system and one or more other external computer systems also being connected to the network, the originating computer system and one or more other computer systems being outside of the security boundary, the network based application having been received from the originating computer system, a method for making a network access decision for the network based application, the method comprising:

an act of receiving a network access request from the network based application running inside the security boundary, the network access request requesting network access be implemented to one of the external computer systems outside of the security boundary;

an act of accessing network security policies that control network access to the external computer systems, the network security policies configured to make a network access decision for the network access request based on network access information corresponding to the network access request;

an act of accessing network access information associated with the network access request, the network access information including at least one property of a setting for the computer system and at least one property of the network access request;

an act of applying the network security polices to the network access information to make a network access decision for the received network access request; and

an act of returning the network access decision to the network based application to indicate to the network based application whether or not the network based application is permitted to implement the requested network access to the external computer system outside of the security boundary.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to methods, systems, and computer program products for accessing network resources outside a security boundary. The present invention can provide a modules running within a security boundary (e.g., sandboxed client-side scripts) access to network resources at computer systems other than the computer system where the module originated. When network access is permitted, the properties of network request can be adjusted so that security information of the client system and the originating computer system for the module are not divulged. Thus, a module can obtain content for inclusion in a Web page from third party servers in a more secure meaner. Network e access decisions can be made based on ambient data already accessible to a host environment such that network access decisions can be made in a more automated manner.

Citations

20 Claims

1. At a computer system connected to a network, the computer system including a host environment with a network based application running inside a security boundary of the host environment, an originating computer system and one or more other external computer systems also being connected to the network, the originating computer system and one or more other computer systems being outside of the security boundary, the network based application having been received from the originating computer system, a method for making a network access decision for the network based application, the method comprising:
- an act of receiving a network access request from the network based application running inside the security boundary, the network access request requesting network access be implemented to one of the external computer systems outside of the security boundary;
  
  an act of accessing network security policies that control network access to the external computer systems, the network security policies configured to make a network access decision for the network access request based on network access information corresponding to the network access request;
  
  an act of accessing network access information associated with the network access request, the network access information including at least one property of a setting for the computer system and at least one property of the network access request;
  
  an act of applying the network security polices to the network access information to make a network access decision for the received network access request; and
  
  an act of returning the network access decision to the network based application to indicate to the network based application whether or not the network based application is permitted to implement the requested network access to the external computer system outside of the security boundary.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein the act of receiving a network access request from the network based application running inside the security boundary comprises an act of receiving a network access request from a client-side script running inside a sandbox.
  - 3. The method as recited in claim 1, wherein the act of receiving a network access request from the network based application running inside the security boundary comprises an act of receiving network access request to access content form one of the one or more external computer systems for inclusion in a Web page.
  - 4. The method as recited in claim 1, wherein the act of accessing network security policies that control network access to the external computer systems comprises an cat of accessing network security policies including one or more of domain access rights, application type access rights, override rules, external program calls, network type access rules, and network location access rules.
  - 5. The method as recited in claim 1, wherein the act of accessing network access information associated with the network access request comprises an act of accessing ambient information associated with the host environment.
  - 6. The method as recited in claim 1, wherein an act of accessing network access information associated with the network access request comprises an act of accessing network access information including one or more of URL information, trust zone information, system settings, browser settings, network access type, request size, an electronic address, a protocol, and protocol semantics of the protocol.
  - 7. The method as recited in claim 1, wherein the act of applying the network security polices to the network access information to make a network access decision for the received network access request comprises an act of providing the network access information as input to computer-executable instructions included in the network security polices.

8. At a computer system connected to a network, the computer system including a Web browser with a Web based application running inside a security boundary of the Web browser, an originating computer system and one or more other external computer systems also being connected to the network, the originating computer system and one or more other computer systems being outside of the security boundary, the Web based application having been received from the originating computer system, a method for implementing network access from the Web based application inside the security boundary to one of the external computer systems outside of the security boundary, the method comprising:
- an act of receiving a network access request from the Web based application running inside the security boundary, the network access request requesting that a network access be implemented to one of the external computer systems outside of the security boundary;
  
  an act of accessing network security policies that control network access to the external computer systems, the network security policies configured to make a network access decision for the network access request based on network access information associated with the network access request;
  
  an act of accessing network access information associated with the network access request, the network access information including at least one property of a setting for the Web browser and at least one property of the network access request;
  
  an act of applying the network security polices to the network access information to determine that the requested network access is to be permitted;
  
  an act of permitting network communication from the Web based application running inside the security boundary to the external computer system outside of the security boundary such that the Web based application can retrieve content from the external computer system notwithstanding that the Web based application was received from the originating computer system; and
  
  an act of indicating to the Web based application that network access to the external computer system has been permitted.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method as recited in claim 8, wherein the act of receiving a network access request from the Web based application running inside the security boundary comprises an act of receiving a network access request from a client-side script running in a sandbox.
  - 10. The method as recited in claim 8, wherein the act of receiving a network access request from the Web based application running inside the security boundary comprises an act of receiving a network access request for content to be included in a Web page.
  - 11. The method as recited in claim 8, wherein the act of accessing network security policies that control network access to the external computer systems, comprises:
    - an act of presenting a user-interface control prompting a user to enter a network security policy related to the network access request; and
      
      an act of receiving user-input data through the user-interface control, the user-input data indicative of a network security policy related to the network access request.
  - 12. The method as recited in claim 8, wherein the act of accessing network access information associated with the network access request comprises an act accessing a browser setting of the Web browser that persists across multiple network access requests.
  - 13. The method as recited in claim 12, further comprising subsequent to the act of permitting network communication from the Web based application to the external computer system:
    - an act of formulating a related request to request content responsive to the network access request, the request being adjusted such that security information of the computer system and the originating computer system are not divulged to the external computer system;
      
      an sending the related request to the external computer system to request the content requested in the network access request in a more secure manner.
  - 14. The method as recited in claim 13, wherein the act of sending the related request to the external computer system comprises an act of sending the related request over the Internet.
  - 15. The method as recited in claim 13, further comprising:
    - an act of receiving the requested content from the external computer system; and
      
      an act of forwarding the received content to the Web based application.

16. At a computer system connected to a network, the computer system including a Web browser with a Web based application running inside a security boundary of the Web browser, an originating computer system and one or more other external computer systems also being connected to the network, the originating computer system and the one or more other computer systems being outside of the security boundary, the Web based application having been received from the originating computer system, a method for implementing network access from the Web based application inside the security boundary to one of the external computer systems outside of the security boundary, the method comprising:
- an act of sending a Web page request to the originating computer system;
  
  an act of receiving a Web page from the originating computer system in response to the Web page request, the Web page including a Web based application configured to provide at least a portion of the content for the Web page;
  
  an act of running the Web based application inside a security boundary of the Web browser;
  
  an act of the Web based application running inside the security boundary sending a network access request, the network access request requesting network access be implemented to one of the external computer systems outside of the security boundary;
  
  an act of receiving an indication that network access to the external computer system outside of the security boundary has been permitted; and
  
  an act of the Web based application running inside the security boundary retrieving content from the external computer system outside of the security boundary for inclusion in the Web page notwithstanding that the Web based application was received from the originating computer system.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method as recited in claim 16, wherein the act of receiving a Web page from the originating computer system comprises an act of receiving a Web page that includes a client-side script.
  - 18. The method as recited in claim 16, wherein the act of running the Web based application inside a security boundary of the Web browser comprises an act of running a client-side script in a sandbox.
  - 19. The method as recited in claim 16, wherein the act of the Web based application running inside the security boundary retrieving content from the external computer system comprises an act of a client-side script received from an originating Web server and running in a sandbox of the Web browser retrieving content from another different Web server.
  - 20. The method as recited in claim 19, further comprising:
    - an act of including the retrieved content from the other Web server in a Web page also received from the originating Web server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Schackow, Stefan N., Kothari, Nikhil

Granted Patent

US 7,870,596 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

H04L 63/20 for managing network securi...

ACCESSING NETWORK RESOURCES OUTSIDE A SECURITY BOUNDARY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESSING NETWORK RESOURCES OUTSIDE A SECURITY BOUNDARY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links