SECURITY RESTRICTION TECHNIQUES FOR BROWSER-BASED APPLICATIONS

US 20100192193A1
Filed: 01/23/2009
Published: 07/29/2010
Est. Priority Date: 01/23/2009
Status: Abandoned Application

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions for causing a computer to perform steps comprising:

when receiving a request from an external application to retrieve data to be used by the external application within a client browser, performing an intersection on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the data requested by the external application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various technologies and techniques are disclosed for restricting security levels that can be used with browser-based applications. When a request is received from an external application to retrieve data for use in a client browser, an intersection is performed on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the requested data. Techniques for restricting operations of an external application that is being run in a client browser are also described. A session token is returned to a client browser after validating access can be granted to the client browser. Validation is performed to confirm access can be granted to an external application. A request for data is received from the external application, with the request for data containing the session token. The requested data is retrieved and returned to the external application.

Citations

20 Claims

1. A computer-readable medium having computer-executable instructions for causing a computer to perform steps comprising:
- when receiving a request from an external application to retrieve data to be used by the external application within a client browser, performing an intersection on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the data requested by the external application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-readable medium of claim 1, further having computer-executable instructions for causing a computer to perform steps comprising:
    - using a security level associated with the new permission set for an operation that retrieves the data; and
      
      returning the data to the external application.
  - 3. The computer-readable medium of claim 1, wherein the new permission set prevents an elevation of privilege by the user and the external application.
  - 4. The computer-readable medium of claim 1, wherein the external application is provided by a third party.
  - 5. The computer-readable medium of claim 1, wherein the external application is hosted on a separate application domain.
  - 6. The computer-readable medium of claim 1, wherein the request from the external application includes a session token that was originally provided to the client browser.
  - 7. The computer-readable medium of claim 1, further having computer-executable instructions for causing a computer to perform steps comprising:
    - prior to performing the intersection, ensuring that the user of the client browser is logged in and that the external application is logged in.
  - 8. The computer-readable medium of claim 1, wherein the external application is a component that gets rendered in the client browser.

9. A method for restricting operations that can be performed by an external application that is being run in a client browser comprising the steps of:
- receiving a request from a client browser to login to an original application;
  
  returning a session token to the client browser after validating that access to the original application can be granted to the client browser;
  
  while the client browser is still logged in to the original application, receiving a request from an external application to login to the original application;
  
  validating that access to the original application can be granted to the external application;
  
  receiving a request for data from the external application, with the request for data containing the session token that the external application obtained from the client browser;
  
  retrieving the data requested by the external application; and
  
  returning the data to the external application.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, further comprising the steps of:
    - prior to retrieving the data, performing an intersection on a permission set of a user of the client browser and of the external application to determine a new permission set, and using the new permission set when retrieving the data.
  - 11. The method of claim 10, wherein the new permission set prevents an elevation of privilege by the user and the external application.
  - 12. The method of claim 9, wherein at least some of the data being returned to the external application is data to be displayed in the client browser.
  - 13. The method of claim 9, wherein the external application is provided by a third party.
  - 14. The method of claim 9, wherein the external application is hosted on a separate application domain from the original application.
  - 15. The method of claim 9, wherein the external application is a component that gets rendered in the client browser.
  - 16. The method of claim 9, wherein the session token is provided to the external application by the client browser when the client browser requests that the external application render data that is contained in the original application.
  - 17. The method of claim 9, wherein the session token includes a time identifier, application identifier, and user identifier.

18. A method for restricting operations that can be performed by an external application that is being run in a client browser comprising the steps of:
- receiving a request from a client browser to login to an original application;
  
  returning a session token to the client browser after validating that access to the original application can be granted to the client browser;
  
  while the client browser is still logged in to the original application, receiving a request from an external application to login to the original application;
  
  validating that access to the original application can be granted to the external application;
  
  receiving a request for data from the external application, with the request for data containing the session token that the external application obtained from the client browser;
  
  while the client browser and external application are both still logged in to the original application, performing an intersection on a permission set of a user of the client browser and of the external application to determine a new permission set;
  
  using a security level associated with the new permission set for an operation that retrieves the data; and
  
  returning the data to the external application.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the external application is a component that gets rendered in the client browser.
  - 20. The method of claim 18, wherein the session token includes a time identifier, application identifier, and user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Golden, Joseph Maxwell, Olson, Elisabeth Katarina, Zhu, Shaofeng, Ammerlaan, Michael

Application Number

US12/358,268
Publication Number

US 20100192193A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

SECURITY RESTRICTION TECHNIQUES FOR BROWSER-BASED APPLICATIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY RESTRICTION TECHNIQUES FOR BROWSER-BASED APPLICATIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links