Reducing cross-site scripting attacks by segregating HTTP resources by subdomain
First Claim
1. A system comprising:
- one or more processors that when executing instructions are configured to;
receive a request for a resource from a caller;
based at least in part on determining that the request is directed to a first uniform resource locator (URL) comprising a non-segregated sub-domain, redirect the request to a second URL comprising a segregated sub-domain and a path part, the path part comprising an encryption based at least in part on an identifier that corresponds to a sharing set of callers authorized to access the resource;
decrypt the path part to determine the identifier; and
based at least in part on determining that the identifier matches the segregated sub-domain, provide the resource to the caller.
2 Assignments
0 Petitions
Accused Products
Abstract
An arrangement for reducing the occurrence of harmful cross-site scripting is provided by segregating on-line content or other resources so that they are accessible at different domains or subdomains, each of which corresponds to a set of users, called a “sharing set,” where each user in the set has identical access privileges to certain resources. The sharing set is provided with an identifier (which may or may not be unique), so that the identifier may be used as the name of the domain or subdomain for which any member of the sharing set is authorized to access the resources located there. In this way, script that is embedded with the content can only be executed among members of the sharing set. Users who are not members of the sharing set are unable to invoke cross site-scripting attacks that would allow them to gain access to data from sharing set members.
67 Citations
20 Claims
-
1. A system comprising:
one or more processors that when executing instructions are configured to; receive a request for a resource from a caller; based at least in part on determining that the request is directed to a first uniform resource locator (URL) comprising a non-segregated sub-domain, redirect the request to a second URL comprising a segregated sub-domain and a path part, the path part comprising an encryption based at least in part on an identifier that corresponds to a sharing set of callers authorized to access the resource; decrypt the path part to determine the identifier; and based at least in part on determining that the identifier matches the segregated sub-domain, provide the resource to the caller. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method, comprising:
-
receiving a request for a resource from a caller, the request directed to a second uniform resource locator (URL) comprising a segregated sub-domain and a path part; decrypting the path part to determine an identifier that corresponds to a sharing set of callers authorized to access the resource; and based at least in part on determining that the identifier matches the segregated sub-domain, providing the resource to the caller, at least some of the method implemented at least in part via a processor. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A computer-readable storage unit comprising computer-executable code, which when executed via a processor on a computer perform acts, comprising:
-
receiving a request to upload a resource from a caller; based at least in part on receiving the request, encrypting an identifier that corresponds to a sharing set of callers authorized to access the resource to generate an encryption; and providing a second uniform resource locator (URL) for accessing the resource once uploaded, the second URL comprising a segregated sub-domain and a path part, the path part comprising the encryption. - View Dependent Claims (18, 19, 20)
-
Specification