Method and system for improved internet security via HTTP-only cookies
First Claim
1. In a computing environment, a method comprising:
- receiving data from a web site at a transport component, the data including unsafe content;
parsing and interpreting the unsafe content received via the transport component, including invoking an engine to execute code present in the unsafe content, the code requesting access to a cookie; and
determining at a security mechanism operably connected to the browser component whether the cookie is accessible to the unsafe content based on information associated with the cookie, wherein the security mechanism is configured to deny access to the cookie when the information indicates that the cookie is not accessible to the unsafe content,wherein the unsafe content requests return of a cookie via a function called by the engine, and wherein the function obtains the information associated with the cookie from the transport component for evaluation by the security mechanism.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method that prevents certain cookies, as specified by an Internet server, from being accessed through client-side script, thereby mitigating the amount of damage that cross-site scripting attacks can accomplish. The server marks selected cookies with an attribute that flags such cookies as being protected, and a security mechanism in the client prevents protected cookies from being accessed via script. A protected (flagged) cookie can still be accessed by the server, (e.g., via HTTP), while non-flagged cookies can be accessed by the server or script. An API or similar layer implements the security mechanism that checks for the attribute, and fails requests for any cookies having that attribute set. The present invention can also be adapted to prevent a malicious script from overwriting existing HTTP-only cookies on a client machine.
-
Citations
19 Claims
-
1. In a computing environment, a method comprising:
-
receiving data from a web site at a transport component, the data including unsafe content; parsing and interpreting the unsafe content received via the transport component, including invoking an engine to execute code present in the unsafe content, the code requesting access to a cookie; and determining at a security mechanism operably connected to the browser component whether the cookie is accessible to the unsafe content based on information associated with the cookie, wherein the security mechanism is configured to deny access to the cookie when the information indicates that the cookie is not accessible to the unsafe content, wherein the unsafe content requests return of a cookie via a function called by the engine, and wherein the function obtains the information associated with the cookie from the transport component for evaluation by the security mechanism. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a computing environment, a system comprising:
-
a transport component that receives a response from a web site, the response including unsafe content; a browser component that parses and interprets the unsafe content received via the transport component, including invoking an engine to execute code present in the unsafe content, the code requesting access to a cookie; and a security mechanism operably connected to the browser component, the security mechanism configured to determine whether the cookie is accessible to the unsafe content based on information associated with the cookie, the security mechanism further configured to deny access to the cookie when the information indicates that the cookie is not accessible to the unsafe content, wherein the unsafe content requests return of a cookie via a function called by the engine, and wherein the function obtains the information associated with the cookie from the transport component for evaluation by the security mechanism. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A computer-readable storage medium having stored computer-executable instructions for performing a method, comprising:
-
receiving a response from a web site; interpreting content in the response, including invoking a script engine to run script present in the content; receiving a request originating in the script to return a cookie, and in response, calling a function to return the cookie in response; and determining whether the cookie is protected from script access by evaluating information associated with the cookie, wherein determining whether the cookie is protected from script access comprises, receiving the cookie by communicating from the function to a transport component to retrieve the cookie, and thereafter evaluating attributes associated with the cookie to determine if at least one attribute indicates the cookie is protected, and a) if the information indicates the cookie is not protected, returning the cookie in response to the request; and b) if the information indicates the cookie is protected, denying the request. - View Dependent Claims (19)
-
Specification