Cross-Origin Communication in Restricted Computer Environments

US 20180367572A1
Filed: 06/16/2017
Published: 12/20/2018
Est. Priority Date: 06/16/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for communicating data between a first execution context on a computing system and a second execution context on the computing system,wherein the first execution context executes content from a first origin,wherein the second execution context executes content from a second origin that is different from the first origin, andwherein the first execution context and the second execution context are each restricted from accessing data of the other as a result of a same-origin policy implemented by the computing system, the method comprising:

establishing a bi-directional communication channel between the first execution context and the second execution context, including;

receiving, in the first execution context, an initial discovery message that was transmitted from the second execution context;

determining, in the first execution context and based on the initial discovery message that was transmitted from the second execution context, an identifier of the second execution context;

establishing, using the identifier of the second execution context, a first uni-directional sub-channel of the bi-directional communication channel, the first uni-directional sub-channel configured to carry messages from the first execution context to the second execution context;

receiving, in the second execution context, a connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel;

determining, in the second execution context and based on the connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel, an identifier of the first execution context; and

establishing, using the identifier of the first execution context, a second uni-directional sub-channel of the bi-directional communication channel, the second uni-directional sub-channel configured to carry messages from the second execution context to the first execution context; and

communicating messages between the first execution context and the second execution context over the bi-directional communication channel.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This specification discloses techniques for communicating data between a first execution context on a computing system and a second execution context on the computing system. The first execution context can execute content from a first origin, the second execution context can execute content from a second origin that is different from the first origin, and the first execution context and the second execution context can each be restricted from accessing data of the other as a result of a same-origin policy implemented by the computing system. The method can include establishing a bi-directional communication channel between the first execution context and the second execution context.

24 Citations

View as Search Results

20 Claims

1. A computer-implemented method for communicating data between a first execution context on a computing system and a second execution context on the computing system,wherein the first execution context executes content from a first origin,wherein the second execution context executes content from a second origin that is different from the first origin, andwherein the first execution context and the second execution context are each restricted from accessing data of the other as a result of a same-origin policy implemented by the computing system, the method comprising:
- establishing a bi-directional communication channel between the first execution context and the second execution context, including;
  
  receiving, in the first execution context, an initial discovery message that was transmitted from the second execution context;
  
  determining, in the first execution context and based on the initial discovery message that was transmitted from the second execution context, an identifier of the second execution context;
  
  establishing, using the identifier of the second execution context, a first uni-directional sub-channel of the bi-directional communication channel, the first uni-directional sub-channel configured to carry messages from the first execution context to the second execution context;
  
  receiving, in the second execution context, a connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel;
  
  determining, in the second execution context and based on the connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel, an identifier of the first execution context; and
  
  establishing, using the identifier of the first execution context, a second uni-directional sub-channel of the bi-directional communication channel, the second uni-directional sub-channel configured to carry messages from the second execution context to the first execution context; and
  
  communicating messages between the first execution context and the second execution context over the bi-directional communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, wherein in accordance with the same-origin policy, the computing system classifies the second origin as being different from the first origin in response to identifying that at least one of transmission protocols, addresses, or port numbers of the first origin and the second origin differ from each other.
  - 3. The computer-implemented method of claim 1, wherein the first execution context comprises a first window object configured to present the content from the first origin, wherein the second execution context comprises a second window object configured to present the content from the second origin.
  - 4. The computer-implemented method of claim 3, wherein:
    - the content presented in the first window object comprises a first web page that is hosted by one or more servers at a first domain associated with the first origin;
      
      the content presented in the second window object comprises a second web page that is hosted by one or more servers at a second domain associated with the second origin; and
      
      the second window object is an inline frame (iFrame) that is embedded in the first web page.
  - 5. The computer-implemented method of claim 1, further comprising:
    - generating the first execution context and the second execution context with a web browsing application of the computing system,wherein the first uni-directional sub-channel is configured to carry messages from the first execution context to the second execution context using a postMessage application programming interface (API) of the web browsing application,wherein the second uni-directional sub-channel is configured to carry messages from the second execution context to the first execution context using the postMessage API of the web browsing application.
  - 6. The computer-implemented method of claim 1, wherein:
    - the second execution context is a descendant of the first execution context in a hierarchy of execution contexts on the computing system, anddetermining, in the first execution context and based on the initial discovery message that was transmitted from the second execution context, the identifier of the second execution context comprises accessing a value of a source identifier field of the initial discovery message.
  - 7. The computer-implemented method of claim 1, further comprising, after establishing the first and second uni-directional sub-channels, validating the bi-directional communication channel, including:
    - transmitting, from the second execution context and to the first execution context, a first channel connection message;
      
      receiving, in the first execution context, the first channel connection message transmitted from the second execution context;
      
      in response to receiving the first channel connection message, marking the bi-directional communication channel as being in a connected state at the first execution context;
      
      transmitting, from the first execution context and to the second execution context, a second channel connection message;
      
      receiving, in the second execution context, the second channel connection message transmitted from the first execution context; and
      
      in response to receiving the second channel connection message, marking the bi-directional communication channel as being in the connected state at the second execution context.
  - 8. The computer-implemented method of claim 7,wherein one or more services in the first execution context are configured use the bi-directional communication channel to carry messages from the first execution context to the second execution context in response to identifying that the first uni-directional sub-channel is in the connected state,wherein the one or more services in the first execution context are configured to perform alternative actions rather than using the bi-directional communication channel to carry messages from the first execution context to the second execution context in response to identifying that the first-uni-directional sub-channel is in an unconnected state.
  - 9. The computer-implemented method of claim 1, further comprising:
    - determining, in the first execution context, whether the first execution context was a target of the initial discovery message from the second execution context by checking whether the second execution context is a descendant of the first execution context in a hierarchy of execution contexts on the computing system; and
      
      in response to identifying that the second execution context is a descendant of the first execution context;
      
      (i) determining that the first execution context was the target of the initial discovery message from the second execution context and proceeding to establish the first uni-directional sub-channel, and(ii) selecting to establish the first uni-directional sub-channel between the first execution context and the second execution context.
  - 10. The computer-implemented method of claim 1, further comprising:
    - receiving, in the first execution context, a second initial discovery message that was transmitted from a third execution context that executes content from an origin other than the first origin, wherein the first execution context and the third execution context are each restricted from accessing data of the other as a result of the same-origin policy implemented by the computing system;
      
      determining, in the first execution context, whether the first execution context was a target of the second initial discovery message from the third execution context by checking whether the third execution context is a descendant of the first execution context in a hierarchy of execution contexts on the computing system; and
      
      in response to identifying that the third execution context is not a descendant of the first execution context, discarding the second initial discovery message so as to not establish a communication channel between the first execution context and the third execution context.
  - 11. The computer-implemented method of claim 1, further comprising:
    - identifying, in the first execution context, that the initial discovery message from the second execution context contains a first token that indicates the initial discovery message is to initiate establishment of a first channel between the first execution context and a first service of the second execution context;
      
      receiving, in the first execution context, a second initial discovery message that was transmitted from the second execution context;
      
      identifying, in the first execution context, that the second initial discovery message from the second execution context contains a second token that indicates the second initial discovery message is to initiate establishment of a second channel between the first execution context and a second service of the second execution context that is different from the first service of the second execution context.
  - 12. The computer-implemented method of claim 1, comprising, after establishing the bi-directional communication channel between the first execution context and the second execution context:
    - identifying a user interaction with a control element displayed within a presentation of the first execution context; and
      
      in response to identifying the user interaction with the control element displayed within the presentation of the first execution context, transmitting, over the bi-directional communication channel from the first execution context and to the second execution context, an indication of the user interaction with the control element displayed within the presentation of the first execution context.
  - 13. The computer-implemented method of claim 12, wherein the user interaction with the control element displayed within the presentation of the first execution context indicates an instruction to hide or close a presentation of the content executed by the second execution context.

14. A computing system comprising one or more processors and one or more computer-readable media encoded with instructions that, when executed, cause the one or more processors to implement:
- a first execution context that executes content from a first origin;
  
  a second execution context that executes content from a second origin that is different from the first origin; and
  
  a security application that restricts each of the first execution context and the second execution context from accessing data of the other in accordance with a same-origin policy implemented by the security application;
  
  wherein the first execution context and the second execution context are configured to establish a bi-directional communication channel for carrying messages between the first execution context and the second execution context by performing operations that comprise;
  
  receiving, in the first execution context, an initial discovery message that was transmitted from the second execution context;
  
  determining, in the first execution context and based on the initial discovery message that was transmitted from the second execution context, an identifier of the second execution context;
  
  establishing, using the identifier of the second execution context, a first uni-directional sub-channel of the bi-directional communication channel, the first uni-directional sub-channel configured to carry messages from the first execution context to the second execution context;
  
  receiving, in the second execution context, a connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel;
  
  determining, in the second execution context and based on the connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel, an identifier of the first execution context; and
  
  establishing, using the identifier of the first execution context, a second uni-directional sub-channel of the bi-directional communication channel, the second uni-directional sub-channel configured to carry messages from the second execution context to the first execution context.
- View Dependent Claims (15, 16, 17)
- - 15. The computing system of claim 14, wherein the operations further comprise:
    - determining, in the first execution context, whether the first execution context was a target of the initial discovery message from the second execution context by checking whether the second execution context is a descendant of the first execution context in a hierarchy of execution contexts on the computing system; and
      
      in response to identifying that the second execution context is a descendant of the first execution context;
      
      (i) determining that the first execution context was the target of the initial discovery message from the second execution context and proceeding to establish the first uni-directional sub-channel, and(ii) selecting to establish the first uni-directional sub-channel between the first execution context and the second execution context.
  - 16. The computing system of claim 14, wherein the operations further comprise:
    - receiving, in the first execution context, a second initial discovery message that was transmitted from a third execution context that executes content from an origin other than the first origin, wherein the first execution context and the third execution context are each restricted from accessing data of the other as a result of the same-origin policy implemented by the computing system;
      
      determining, in the first execution context, whether the first execution context was a target of the second initial discovery message from the third execution context by checking whether the third execution context is a descendant of the first execution context in a hierarchy of execution contexts on the computing system; and
      
      in response to identifying that the third execution context is not a descendant of the first execution context, discarding the second initial discovery message so as to not establish a communication channel between the first execution context and the third execution context.
  - 17. The computing system of claim 14, wherein the operations further comprise:
    - identifying, in the first execution context, that the initial discovery message from the second execution context contains a first token that indicates the initial discovery message is to initiate establishment of a first channel between the first execution context and a first service of the second execution context;
      
      receiving, in the first execution context, a second initial discovery message that was transmitted from the second execution context;
      
      identifying, in the first execution context, that the second initial discovery message from the second execution context contains a second token that indicates the second initial discovery message is to initiate establishment of a second channel between the first execution context and a second service of the second execution context that is different from the first service of the second execution context.

18. One or more non-transitory computer-readable media having instructions stored thereon that, when executed by one or more processors of a computing system, cause the one or more processors to perform operations for communicating data between a first execution context on the computing system and a second execution context on the computing system,wherein the first execution context is configured to execute content from a first origin,wherein the second execution context is configured to execute content from a second origin that is different from the first origin, andwherein the first execution context and the second execution context are each restricted from accessing data of the other as a result of a same-origin policy of the computing system, the operations comprising:
- establishing a bi-directional communication channel between the first execution context and the second execution context, including;
  
  receiving, in the first execution context, an initial discovery message that was transmitted from the second execution context;
  
  determining, in the first execution context and based on the initial discovery message that was transmitted from the second execution context, an identifier of the second execution context;
  
  establishing, using the identifier of the second execution context, a first uni-directional sub-channel of the bi-directional communication channel, the first uni-directional sub-channel configured to carry messages from the first execution context to the second execution context;
  
  receiving, in the second execution context, a connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel;
  
  determining, in the second execution context and based on the connection broadcast message that was transmitted from the first execution context over the first uni-directional sub-channel, an identifier of the first execution context; and
  
  establishing, using the identifier of the first execution context, a second uni-directional sub-channel of the bi-directional communication channel, the second uni-directional sub-channel configured to carry messages from the second execution context to the first execution context; and
  
  communicating messages between the first execution context and the second execution context over the bi-directional communication channel.
- View Dependent Claims (19, 20)
- - 19. The computer-readable media of claim 18, wherein in accordance with the same-origin policy, the computing system classifies the second origin as being different from the first origin in response to identifying that at least one of transmission protocols, addresses, or port numbers of the first origin and the second origin differ from each other.
  - 20. The computer-readable media of claim 18, wherein the first execution context comprises a first window object configured to present the content from the first origin, wherein the second execution context comprises a second window object configured to present the content from the second origin.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Frisbie, Matthew Steven

Granted Patent

US 10,554,692 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6209   to a single file or object,...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/34   involving the movement of s...

Cross-Origin Communication in Restricted Computer Environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-Origin Communication in Restricted Computer Environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links