Securing resources from untrusted scripts behind firewalls
First Claim
Patent Images
1. A method for protecting internal resources against an untrusted script originated from an external server, said script being executed in a security sandbox behind a network firewall, said method comprising the steps of:
- responsive to said untrusted script requesting access to an internal resource at a request URI, said security sandbox loading a script control definition from a declaration file at the root directory of said request URI, said script control definition comprising allowable request types and script originations;
said security sand box validating said script control definition at said root directory;
if said request URI is not a subdirectory, allowing said untrusted script to access said internal resource only in response to operations comprising;
said security sandbox verifying that the type of request is allowed in said script control definition at said root directory;
said security sandbox verifying that the origination of said untrusted script is allowed in said script control definition at said root directory;
if said request URI is a subdirectory, allowing said untrusted script to access said internal resource only in response to operations comprising;
said security sandbox verifying that delegation is allowed in said script control definition at root directory;
only if delegation is allowed, said security sandbox loading a script control definition from a declaration file at said subdirectory of said request URI, said script control definition at said subdirectory comprising allowable request types and script originations;
said security sand box validating said script control definition at said subdirectory;
said security sandbox verifying that the type of request is allowed in said script control definition at said subdirectory;
said security sandbox verifying that the origination of said untrusted script is allowed in said script control definition at said subdirectory.
8 Assignments
0 Petitions
Accused Products
Abstract
The invention provides a new mechanism which is used to protect all internal resources against requests from sandboxed scripts. In the preferred embodiment, the mechanism is implemented for SOAP calls by untrusted scripts. When an attempt is made to access a resource at a previously-unknown URI, the sandbox reads a file at that domain with declarations to determine whether access is permitted to the script. If the file is not found, the access is denied.
-
Citations
15 Claims
-
1. A method for protecting internal resources against an untrusted script originated from an external server, said script being executed in a security sandbox behind a network firewall, said method comprising the steps of:
-
responsive to said untrusted script requesting access to an internal resource at a request URI, said security sandbox loading a script control definition from a declaration file at the root directory of said request URI, said script control definition comprising allowable request types and script originations; said security sand box validating said script control definition at said root directory; if said request URI is not a subdirectory, allowing said untrusted script to access said internal resource only in response to operations comprising; said security sandbox verifying that the type of request is allowed in said script control definition at said root directory; said security sandbox verifying that the origination of said untrusted script is allowed in said script control definition at said root directory; if said request URI is a subdirectory, allowing said untrusted script to access said internal resource only in response to operations comprising; said security sandbox verifying that delegation is allowed in said script control definition at root directory; only if delegation is allowed, said security sandbox loading a script control definition from a declaration file at said subdirectory of said request URI, said script control definition at said subdirectory comprising allowable request types and script originations; said security sand box validating said script control definition at said subdirectory; said security sandbox verifying that the type of request is allowed in said script control definition at said subdirectory; said security sandbox verifying that the origination of said untrusted script is allowed in said script control definition at said subdirectory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
Specification