Lockbox for mitigating same origin policy failures

US 8,782,797 B2
Filed: 07/17/2008
Issued: 07/15/2014
Est. Priority Date: 07/17/2008
Status: Active Grant

First Claim

Patent Images

1. A system configured to facilitate mitigating security policy failures in a computing environment, the system comprising:

a processing unit;

a lockbox module configured to process one or more requests for at least one of data or an application feature;

an instruction set comprising at least one instruction configured to instruct the lockbox module to;

generate a lockbox computing application element that contains the at least one of the data or the application feature, the lockbox computing application element being configured to associate security privileges to selected content, andprocess the at least one of the data or the application feature contained in the lockbox computing application element to determine whether the at least one of the data or the application feature is associated with the lockbox computing application element according to a selected same-origin-policy (SOP) management paradigm,wherein the selected SOP management paradigm comprises at least one other instruction configured to associate the at least one of the data or the application feature with a plurality of nested lockboxes including at least an inner lockbox having a first associated security privilege and an outer lockbox having a second associated security privilege; and

a computer-readable storage medium storing instructions that, when executed by the processing unit, cause the processing unit to implement the lockbox module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods to manage same-origin-policy (SOP) failures that occur in a computing environment are provided. In an illustrative implementation, an exemplary computing environment comprises a lockbox module, and an instruction set comprising at least one instruction directing the lockbox module to process data and/or computing application execution commands representative of and a request for a selected operation/feature according to a selected SOP management paradigm. In the illustrative implementation, the SOP management paradigm comprises one or more instructions to deploy a “lockbox” computing application element allowing for the management, monitoring, and control of computing application features/operations operable under a same origin policy.

Citations

20 Claims

1. A system configured to facilitate mitigating security policy failures in a computing environment, the system comprising:
- a processing unit;
  
  a lockbox module configured to process one or more requests for at least one of data or an application feature;
  
  an instruction set comprising at least one instruction configured to instruct the lockbox module to;
  
  generate a lockbox computing application element that contains the at least one of the data or the application feature, the lockbox computing application element being configured to associate security privileges to selected content, andprocess the at least one of the data or the application feature contained in the lockbox computing application element to determine whether the at least one of the data or the application feature is associated with the lockbox computing application element according to a selected same-origin-policy (SOP) management paradigm,wherein the selected SOP management paradigm comprises at least one other instruction configured to associate the at least one of the data or the application feature with a plurality of nested lockboxes including at least an inner lockbox having a first associated security privilege and an outer lockbox having a second associated security privilege; and
  
  a computer-readable storage medium storing instructions that, when executed by the processing unit, cause the processing unit to implement the lockbox module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system as recited in claim 1, wherein the inner lockbox is accessible by the outer lockbox.
  - 3. The system as recited in claim 2, wherein:
    - the at least one of the data or the application feature is included in the inner lockbox, andthe at least one instruction is configured to instruct the lockbox module to allow access to the at least one of the data or the application feature by a requesting entity when a source of the one or more requests is provided by a document object model (DOM) tree of the inner lockbox.
  - 4. The system as recited in claim 3, wherein the DOM tree is a hyper text mark-up language (HTML) document object tree.
  - 5. The system as recited in claim 3, wherein the at least one of the data or the application feature is associated with the inner lockbox as a principal of a domain that deploys the inner lockbox.
  - 6. The system as recited in claim 1, wherein the lockbox module is configured to attach a source universal resource locator (URL) associated with the inner lockbox as a hypertext transfer protocol (HTTP) header comprising a portion of an out-going HTTP request.
  - 7. The system as recited in claim 6, wherein the HTTP header is unique.
  - 8. The system as recited in claim 7, wherein the lockbox module is configured to deploy a personal image based at least on asserting authenticity of individual contents contained in the inner lockbox.
  - 9. The system as recited in claim 8, wherein the personal image is configured to be displayed via one or more cooperating computing environments and is configured to be used by the lockbox module in determining at least some of the selected content to release from the lockbox.
  - 10. The system as recited in claim 1, wherein the at least one of the data or the application feature is contained in the lockbox computing application element according to a selected tag.

11. A method performed by executing instructions with at least one processing unit, the method comprising:
- creating a lockbox computing application element that associates security privileges with data or an application feature contained in the lockbox computing application element, the lockbox computing application element being associated with a plurality of nested lockboxes including at least;
  
  an inner lockbox that includes the data or the application feature and has a first associated security privilege, andan outer lockbox that includes the inner lockbox and has a second associated security privilege;
  
  receiving a request for the data or the application feature that is contained in the lockbox computing application element;
  
  identifying a source of the request;
  
  making a determination whether the source is an approved source to which the lockbox computing application element is configured to provide access; and
  
  selectively providing access to the data or the application feature based on the determination.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method as recited in claim 11, further comprising associating the inner lockbox with a selected document object model tree.
  - 13. The method as recited in claim 12, further comprising determining whether the source of the request is part of a domain tree that contains the inner lockbox.
  - 14. The method as recited in claim 13, further comprising providing an error to the source when the determination is that the source is not approved.
  - 15. The method as recited in claim 11, wherein the determination is based on whether the source of the request has the first associated security privilege.
  - 16. The method as recited in claim 15, wherein the determination is also based on whether the source of the request has the second associated security privilege.
  - 17. The method as recited in claim 16, wherein the selectively providing comprises providing the access when the determination indicates that the source of the request has both the first associated security privilege and the second associated security privilege.
  - 18. The method as recited in claim 16, wherein the selectively providing comprises denying the access when the determination indicates that the source of the request does not have both the first associated security privilege and the second associated security privilege.
  - 19. The method as recited in claim 18, wherein the lockbox computing application element is a hypertext markup language (HTML) element of an HTML document.

20. One or more hardware computer storage media storing computer executable instructions that, when executed by a computing device, cause the computing device to perform operations comprising:
- creating a lockbox computing application element that associates a first security privilege and a second security privilege with data or an application feature, the lockbox computing application element identifying nested lockboxes including at least;
  
  an inner lockbox that contains the data or the application feature and associates the first security privilege with the data or the application feature, andan outer lockbox that contains the inner lockbox and associates the second security privilege with the data or the application feature;
  
  receiving a request for the data or the application feature that is contained in the inner lockbox identified by the lockbox computing application element;
  
  identifying a source of the request;
  
  determining that the source of the request is approved to access the data or the application feature in accordance with both the first security privilege and the second security privilege; and
  
  responsive to the determining, providing the data or the application feature to the source of the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wang, Jiahe Helen, Fan, Xiaofeng, Chen, Shuo
Primary Examiner(s)
CHEUNG, CALVIN K

Application Number

US12/175,264
Publication Number

US 20100017883A1
Time in Patent Office

2,189 Days
Field of Search

726/4, 726/7, 726/26, 726/30
US Class Current

726/26
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1416 Event detection, e.g. attac...

Lockbox for mitigating same origin policy failures

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Lockbox for mitigating same origin policy failures

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links