Enforcement of same origin policy for sensitive data
First Claim
1. A method to enforce same origin policy comprising:
- examining a network message, from a client to a first domain, corresponding to a sensitive data, wherein generation of the network message is initiated from a second domain;
determining a trigger within the network message to cause release of the sensitive data, wherein the trigger identifies the second domain;
retrieving one or more authorized triggers for the sensitive data from a storage device;
determining whether the trigger matches the one or more authorized triggers for the sensitive data; and
releasing the sensitive data based on the determination of whether the trigger matches the one or more authorized triggers for the sensitive data.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus relating to enforcement of same origin policy of sensitive data are described. In an embodiment, a security agent may help ensure release of sensitive data is only triggered by authorized sources. The security agent may help ensure sensitive data is only released to authorized destinations. A security agent may translate or obfuscate sensitive data. Sensitive data may include HTTP cookies, session data, authentication information, authorization information, personal information, user credentials, and/or other data sensitive in nature. Sensitive data destinations and/or sensitive data origins may be identified. Identification may be performed using secure means (such as for example a SSL/TLS handshake). Other embodiments are also disclosed and claimed.
-
Citations
20 Claims
-
1. A method to enforce same origin policy comprising:
-
examining a network message, from a client to a first domain, corresponding to a sensitive data, wherein generation of the network message is initiated from a second domain; determining a trigger within the network message to cause release of the sensitive data, wherein the trigger identifies the second domain; retrieving one or more authorized triggers for the sensitive data from a storage device; determining whether the trigger matches the one or more authorized triggers for the sensitive data; and releasing the sensitive data based on the determination of whether the trigger matches the one or more authorized triggers for the sensitive data. - View Dependent Claims (6)
-
-
2. The method of 1 further comprising determining whether the trigger is from the same origin as a destination of the trigger.
-
3. The method of 1 wherein the sensitive data is one of:
- HTTP cookie, session cookie, session data, authentication information, password, credential, financial data, or personal information.
-
4. The method of 1 wherein the trigger is one or more of:
- REFERER HTTP Header, ORIGIN HTTP Header, URL location, X-Requested-With HTTP Header, or X-Requested-By HTTP Header.
-
5. The method of 4 further comprising extracting a domain name from the REFERER HTTP Header.
-
7. The method of 1 wherein the network message is an Hypertext Transfer Protocol (HTTP) request.
-
8. A method of enforcing same origin policy comprising:
-
examining a HyperText Transfer Protocol (HTTP) response from a client to a first domain, wherein generation of the HTTP response is initiated from a second domain; determining a sensitive data from the HTTP response; determining meta-data for the sensitive data, wherein the meta-data identifies the second domain; constructing an acting sensitive data based on the determined meta-data for the sensitive data; and inserting the acting sensitive data into the HTTP response. - View Dependent Claims (11)
-
-
9. The method of 8 wherein the sensitive data is an HTTP cookie.
-
10. The method of 8 wherein the sensitive data is a session cookie.
-
12. The method of 8 wherein determining the meta-data for the sensitive data comprises examining a communication channel for an origin identifier.
-
13. The method of 8 wherein the trigger is one or more of:
- REFERER HTTP Header, ORIGIN HTTP Header, URL location, X-Requested-With HTTP Header, or X-Requested-By HTTP Header.
-
14. A security agent system to enforce same origin policy for a sensitive data comprising:
-
a storage device storing one or more instructions; and a processor coupled to the storage device configured to execute the one or more instructions, wherein the one or more instructions are configured to cause the processor to; examine a network message, from a client to a first domain, corresponding to a sensitive data; determine a trigger within the network message to cause release of the sensitive data, wherein the trigger identifies a second domain; retrieve one or more authorized triggers for the sensitive data; determine whether the trigger matches the one or more authorized triggers for the sensitive data; and release the sensitive data based on the determination of whether the trigger matches the one or more authorized triggers for the sensitive data. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification