Secure and extensible policy-driven application platform

US 8,438,636 B2
Filed: 05/09/2008
Issued: 05/07/2013
Est. Priority Date: 01/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method of evaluating a web interactive component, said method comprising:

defining a policy for a component in a content holder, said component providing interactions between a user and other content in the content holder when the component is rendered, said defined policy indicating an execution boundary of the component during runtime, said execution boundary defining resource access limitations of the component;

transforming at least a portion of a script content within the component to a property value of a function to be executed at runtime of the component, wherein the execution boundary defines access priorities of the runtime function;

transmitting the content holder with the transformed component to be rendered in an application on a host device;

in response to the rendering by the application, intercepting a request from the transmitted component to a server for a resource of the server, said intercepting inhibiting receipt of the request by the server, wherein the resource provides services to the transmitted component for interaction with at least one of the following;

the user and the other content from the content holder;

evaluating the intercepted request against the execution boundary in the defined policy; and

providing to the server or the application a dynamic resolution in response to the evaluated request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System of evaluating security of script content. A processor executes computer-executable instructions for defining a policy for the script content in a web page. The script content provides interactions between a user and other content within the web page. The defined policy indicates an execution boundary of the script content. The processor further evaluates the script content against the execution boundary in the defined policy. At run time, the processor transforms at least a portion of the web page in response to the evaluating. An interface transmits the web page with the transformed portion of the script content to be rendered in an application on a host device.

66 Citations

View as Search Results

17 Claims

1. A method of evaluating a web interactive component, said method comprising:
- defining a policy for a component in a content holder, said component providing interactions between a user and other content in the content holder when the component is rendered, said defined policy indicating an execution boundary of the component during runtime, said execution boundary defining resource access limitations of the component;
  
  transforming at least a portion of a script content within the component to a property value of a function to be executed at runtime of the component, wherein the execution boundary defines access priorities of the runtime function;
  
  transmitting the content holder with the transformed component to be rendered in an application on a host device;
  
  in response to the rendering by the application, intercepting a request from the transmitted component to a server for a resource of the server, said intercepting inhibiting receipt of the request by the server, wherein the resource provides services to the transmitted component for interaction with at least one of the following;
  
  the user and the other content from the content holder;
  
  evaluating the intercepted request against the execution boundary in the defined policy; and
  
  providing to the server or the application a dynamic resolution in response to the evaluated request.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein providing the dynamic resolution comprises at least one of the following:
    - granting the request if the requested resource can be executed within the execution boundary, denying the request if the requested resource cannot be executed within the execution boundary, augmenting the request before granting the request, replacing the request with another request before providing a substitute resolution in response to the another request, and requesting a user input from the user for granting or denying the request.
  - 3. The method of claim 1, further comprising providing an application programming interface (API) for receiving the request from the component, and wherein intercepting comprises intercepting a request from the API for a resource of the server.
  - 4. The method of claim 1, further comprising instantiating a plurality of instances of the components.
  - 5. The method of claim 4, wherein intercepting comprises intercepting a request from each of the plurality of instantiated instances of the component for a resource of a server.
  - 6. The method of claim 1, further comprising modifying the request from the component in response to the evaluating, said modifying the request comprises rewriting the request such that the request is within the execution boundary based on the defined policy.

7. A system of evaluating security of script content that integrates code and behaviors from various sources, said system comprising:
- a processor configured to execute computer-executable instructions for;
  
  defining a policy for the script content in a web page, said script content providing interactions between a user and other content within the web page, said defined policy indicating an execution boundary of the script content, said execution boundary defining resource access of the script content;
  
  evaluating the script content against said execution boundary in the defined policy;
  
  transforming, at runtime, at least a portion of the web page in response to the evaluating;
  
  transforming at least a portion of the script content, within the web page, to a property value of a function included in the script content to be executed at runtime of the component, wherein the execution boundary defines a priority of the function;
  
  replacing the transformed portion of the script content with another property value mapping another script content, said another property value falling within the execution boundary of the defined policy when executed at runtime; and
  
  an interface for transmitting the web page with the transformed portion of the script content to be rendered in an application on a host device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the processor is further configured to provide to the server or the application a dynamic resolution in response to the evaluating.
  - 9. The system of claim 8, wherein the dynamic resolution comprises at least one of the following:
    - granting a request if the transformed portion of the web page can be executed within the execution boundary, denying a request if the transformed portion of the web page cannot be executed within the execution boundary, augmenting a request before granting the request, replacing the request with another request before providing a substitute resolution in response to the another request, and requesting a user input from the user for granting or denying a request from the transformed portion of the web page.
  - 10. The system of claim 8, further comprising an application programming interface (API) for receiving the request from the script content, and the processor executes the API to process the received request for a resource of a server.
  - 11. The system of claim 7, wherein the processor is further configured to instantiate a plurality of instances of the script content.
  - 12. The system of claim 7, wherein the processor is further configured to modify the script content during transforming, wherein the processor rewrites the script content to conform with another script content, and said another script content being within the execution boundary based on the defined policy.

13. A method of securing a web interactive function, said method comprising:
- defining a policy for the web interactive function in a web page, said web interactive function providing interactions to a user and to other content in the web page, said defined policy indicating an execution boundary of the web interactive function, said execution boundary defining resource access of the web interactive function;
  
  transmitting the web page to be rendered in an application on a host device;
  
  in response to the rendering by the application, monitoring the web interactive function for a request to interact with the user or the other content in the web page;
  
  intercepting the monitored request from the web interactive function to a server for a resource of the server, said intercepting inhibiting receipt of the request by the server, wherein the resource provides services to the web interactive function for interaction with at least one of the following;
  
  the user and the other content from the web page;
  
  evaluating the intercepted request against the execution boundary in the defined policy;
  
  rewriting the intercepted request such that the rewritten request is within the execution boundary based on the defined policy;
  
  transforming at least a portion of a script content of the web interactive function to a property value of a runtime function included in the script content to be executed at runtime of the component, wherein the execution boundary defines an access priority of the runtime function; and
  
  providing to the server or the application a dynamic resolution in response to the evaluating.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein providing the dynamic resolution comprises at least one of the following:
    - granting the request if the requested resource can be executed within the execution boundary, denying the request if the requested resource cannot be executed within the execution boundary, augmenting the request before granting the request, replacing the request with another request before providing a substitute resolution in response to the another request, and requesting a user input from the user for granting or denying the request.
  - 15. The method of claim 13, further comprising providing an application programming interface (API) for receiving the request from the function, and wherein intercepting comprises intercepting a request from the API for a resource of the server.
  - 16. The method of claim 13, further comprising instantiating a plurality of instances of the function when a plurality of web pages is rendered by the application.
  - 17. The method of claim 16, wherein intercepting comprises intercepting a request from each of the plurality of instantiated instances of the component for a resource of the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yolleck, Stephen Mark, Logan, Ronald Keith, Isaacs, Scott
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US12/118,321
Publication Number

US 20090183171A1
Time in Patent Office

1,824 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2119   Authenticating web pages, e...

G06F 9/451   Execution arrangements for ...

G06F 9/468   Specific access rights for ...

Secure and extensible policy-driven application platform

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Secure and extensible policy-driven application platform

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links