REDUCING CROSS-SITE SCRIPTING ATTACKS BY SEGREGATING HTTP RESOURCES BY SUBDOMAIN
First Claim
1. A method of storing network-accessible resources, the method comprising the steps of:
- assigning first and second subdomains to first and second network-accessible resources, respectively, the first and second subdomains being associated with first and second groups of users, respectively, and members of each group having a common set of access privileges to their respective network-accessible resources; and
storing the first and second resources at network locations having addresses within the first and second subdomains, respectively.
2 Assignments
0 Petitions
Accused Products
Abstract
An arrangement for reducing the occurrence of harmful cross-site scripting is provided by segregating on-line content or other resources so that they are accessible at different domains or subdomains, each of which corresponds to a set of users, called a “sharing set,” where each user in the set has identical access privileges to certain resources. The sharing set is provided with an identifier (which may or may not be unique), so that the identifier may be used as the name of the domain or subdomain for which any member of the sharing set is authorized to access the resources located there. In this way, script that is embedded with the content can only be executed among members of the sharing set. Users who are not members of the sharing set are unable to invoke cross site-scripting attacks that would allow them to gain access to data from sharing set members.
91 Citations
20 Claims
-
1. A method of storing network-accessible resources, the method comprising the steps of:
-
assigning first and second subdomains to first and second network-accessible resources, respectively, the first and second subdomains being associated with first and second groups of users, respectively, and members of each group having a common set of access privileges to their respective network-accessible resources; and storing the first and second resources at network locations having addresses within the first and second subdomains, respectively. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of accessing a network-accessible resource, the method comprising the steps of:
-
receiving over a network an address of a resource to be accessed by a user, the address including a subdomain corresponding to a group of users who have a common set of access privileges with respect to the resource; retrieving the resource and metadata associated therewith using the address that is received; and comparing information derived from the metadata with the subdomain included with the address and, if a match is obtained, forwarding the resource over the network to the user. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method of securing network-accessible content from access by unauthorized users, the method comprising the steps of:
-
establishing a sharing set, the sharing set including users having identical access privileges to selected network-accessible content; segregating the selected network-accessible content by storing it at a network location having a network address within a subdomain accessible only to the sharing set; storing an ACL associated with the selected network-accessible content, the ACL specifying the users in the sharing set; receiving a request from a user to access a content item from among the selected network-accessible content; determining if the user is a member of the sharing set; and forwarding the content item to the user only if the user is a member of the sharing set. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification