HOSTED APPLICATION SANDBOX MODEL
First Claim
1. A system configured to execute an application on behalf of a user of a computer connected to the system over a network, the system having a network address and comprising:
- an application store configured to store the application;
an application registering component configured to allocate a distinct subdomain of the system for the application mapped to the network address of the system; and
an application executing component configured to, upon receiving a request to execute the application on behalf of the user;
execute the application on the system, andpresent to the user an application user interface of the application served from the distinct subdomain.
2 Assignments
0 Petitions
Accused Products
Abstract
An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user'"'"'s computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user'"'"'s computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.
199 Citations
20 Claims
-
1. A system configured to execute an application on behalf of a user of a computer connected to the system over a network, the system having a network address and comprising:
-
an application store configured to store the application; an application registering component configured to allocate a distinct subdomain of the system for the application mapped to the network address of the system; and an application executing component configured to, upon receiving a request to execute the application on behalf of the user; execute the application on the system, and present to the user an application user interface of the application served from the distinct subdomain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable storage medium, the medium comprising instructions that, when executed by at least one processor of a system connected to a network and having a network address and an application store, cause the at least one processor to execute an application on behalf of a user of a computer by:
-
storing the application in the application store; allocating a distinct subdomain of the system for the application mapped to the network address of the system; and upon receiving a request to execute the application on behalf of the user; executing the application on the system, and presenting to the user an application user interface of the application served from the distinct subdomain.
-
-
20. A system comprising a web application server configured to execute an application comprising a web application on behalf of a user of a computer connected to the system over a network, the system having a network address and having access to a computing environment store configured to store at least one data object comprising a computing environment of the user, the application instructions that, when executed by at least one processor of the system, cause the at least one processor to execute at least one operation applicable to the computing environment of the user according to at least one permission, and the system comprising:
-
an application store configured to store the application; an application registering component configured to allocate a distinct subdomain of the system for the application mapped to the network address of the system; an application installing component configured to, upon receiving a request from the user to install the application, install the application within the computing environment of the user; an application cataloging component configured to present to the user at least one application stored in the application store and installable within the computing environment of the user; an application receiving component configured to, upon receiving an application from an application developer; store the application in the application store, and invoke the application registering component to allocate the distinct subdomain of the system for the application; a user login interface configured to; present to the user a user login interface configured to receive from the user at least one user login credential, and upon receiving from the user the at least one user login credential; verify the at least one user login credential, and upon verifying the at least one user login credential; generate the at least one user authentication credential, and send to the computer the at least one user authentication credential; a permission token generating component configured to, upon receiving from the user an authorization of the permission to apply the at least one operation of the application to the computing environment; generate the permission token indicating the permission to apply the at least one operation of the application to the computing environment, and send the permission token to the computer; and an application executing component configured to, upon receiving a request to execute the application on behalf of the user; authenticate the user according to at least one user authentication credential received from the user; authenticate the application according to the at least one application authentication credential received from the application; after authenticating the user and after authenticating the application, execute the application on the system by; receiving the at least one permission token with the request to execute the application on behalf of the user validating the at least one permission token; and upon validating the at least one permission token, applying the operation of the application to the computing environment of the user; and present to the user an application user interface of the application, comprising a web page embedding the application rendered in a web browser of the computer, the application user interface served from the distinct subdomain and presented within an isolation construct configured to isolate the application user interface from other applications executing on the computer, the isolation construct comprising a hypertext markup language IFRAME element associated with the distinct subdomain allocated for the application.
-
Specification