Enforcement of same origin policy for sensitive data

US 8,856,869 B1
Filed: 06/22/2010
Issued: 10/07/2014
Est. Priority Date: 06/22/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method to enforce same origin policy comprising:

examining a network message, from a client to a first domain, corresponding to a sensitive data, wherein generation of the network message is initiated from a second domain;

determining a trigger within the network message to cause release of the sensitive data, wherein the trigger identifies the second domain;

retrieving one or more authorized triggers for the sensitive data from a storage device;

determining whether the trigger matches the one or more authorized triggers for the sensitive data; and

releasing the sensitive data based on the determination of whether the trigger matches the one or more authorized triggers for the sensitive data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus relating to enforcement of same origin policy of sensitive data are described. In an embodiment, a security agent may help ensure release of sensitive data is only triggered by authorized sources. The security agent may help ensure sensitive data is only released to authorized destinations. A security agent may translate or obfuscate sensitive data. Sensitive data may include HTTP cookies, session data, authentication information, authorization information, personal information, user credentials, and/or other data sensitive in nature. Sensitive data destinations and/or sensitive data origins may be identified. Identification may be performed using secure means (such as for example a SSL/TLS handshake). Other embodiments are also disclosed and claimed.

460 Citations

20 Claims

1. A method to enforce same origin policy comprising:
- examining a network message, from a client to a first domain, corresponding to a sensitive data, wherein generation of the network message is initiated from a second domain;
  
  determining a trigger within the network message to cause release of the sensitive data, wherein the trigger identifies the second domain;
  
  retrieving one or more authorized triggers for the sensitive data from a storage device;
  
  determining whether the trigger matches the one or more authorized triggers for the sensitive data; and
  
  releasing the sensitive data based on the determination of whether the trigger matches the one or more authorized triggers for the sensitive data.
- View Dependent Claims (6)
- - 6. The method of claim 1 further comprising storing one or more instructions in memory that when executed by a processor cause the processor to perform the examining, determining the trigger, retrieving the one or more authorized triggers, determining whether the trigger matches, or releasing.

2. The method of 1 further comprising determining whether the trigger is from the same origin as a destination of the trigger.

3. The method of 1 wherein the sensitive data is one of:
- HTTP cookie, session cookie, session data, authentication information, password, credential, financial data, or personal information.

4. The method of 1 wherein the trigger is one or more of:
- REFERER HTTP Header, ORIGIN HTTP Header, URL location, X-Requested-With HTTP Header, or X-Requested-By HTTP Header.

5. The method of 4 further comprising extracting a domain name from the REFERER HTTP Header.

7. The method of 1 wherein the network message is an Hypertext Transfer Protocol (HTTP) request.

8. A method of enforcing same origin policy comprising:
- examining a HyperText Transfer Protocol (HTTP) response from a client to a first domain, wherein generation of the HTTP response is initiated from a second domain;
  
  determining a sensitive data from the HTTP response;
  
  determining meta-data for the sensitive data, wherein the meta-data identifies the second domain;
  
  constructing an acting sensitive data based on the determined meta-data for the sensitive data; and
  
  inserting the acting sensitive data into the HTTP response.
- View Dependent Claims (11)
- - 11. The method of claim 8 further comprising storing one or more instructions in memory that when executed by a processor cause the processor to perform the examining, determining the sensitive data, determining the meta-data, constructing, or inserting.

9. The method of 8 wherein the sensitive data is an HTTP cookie.

10. The method of 8 wherein the sensitive data is a session cookie.

12. The method of 8 wherein determining the meta-data for the sensitive data comprises examining a communication channel for an origin identifier.

13. The method of 8 wherein the trigger is one or more of:
- REFERER HTTP Header, ORIGIN HTTP Header, URL location, X-Requested-With HTTP Header, or X-Requested-By HTTP Header.

14. A security agent system to enforce same origin policy for a sensitive data comprising:
- a storage device storing one or more instructions; and
  
  a processor coupled to the storage device configured to execute the one or more instructions, wherein the one or more instructions are configured to cause the processor to;
  
  examine a network message, from a client to a first domain, corresponding to a sensitive data;
  
  determine a trigger within the network message to cause release of the sensitive data, wherein the trigger identifies a second domain;
  
  retrieve one or more authorized triggers for the sensitive data;
  
  determine whether the trigger matches the one or more authorized triggers for the sensitive data; and
  
  release the sensitive data based on the determination of whether the trigger matches the one or more authorized triggers for the sensitive data.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14 wherein the processor is to comprise one or more processor cores.
  - 16. The system of claim 14 wherein the storage device is to comprise volatile or non-volatile memory.
  - 17. The system of claim 14 wherein the processor is to determine whether a destination of sensitive data is an authorized destination.
  - 18. The system of claim 14 wherein the sensitive data is one of:
    - HTTP cookie, session cookie, session data, or authorization information.
  - 19. The system of claim 14 wherein the network message is communicated over a secure communication channel.
  - 20. The system of claim 14, wherein the secure communication channel is SSL or TLS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nexwavsec Software Incorporated
Original Assignee
Nexwavsec Software Incorporated
Inventors
Brinskelle, Jeffrey E.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US12/821,116
Time in Patent Office

1,568 Days
Field of Search

726/2, 726/12, 726/14
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

Enforcement of same origin policy for sensitive data

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

460 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcement of same origin policy for sensitive data

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

460 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links