Resource based dynamic security authorization
First Claim
Patent Images
1. A computer-implemented method for managing access to a second resource by sandboxed code included on a client, the method comprising:
- executing the sandboxed code on the client and allowing operations to execute that adhere to a static security policy;
wherein the sandboxed code has restricted access to resources and other applications;
wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;
wherein the first resource includes an associated first resource policy;
determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;
wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;
wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;
establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource;
comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource;
wherein the resource based policy is stored with the first resource; and
providing the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy.
2 Assignments
0 Petitions
Accused Products
Abstract
Access to a resource by sandboxed code is dynamically authorized by a client security system based on a resource based policy. A sandboxed application running on a client is granted access to a resource based on a resource based policy despite denial of the access based on a static policy associated with the client security system. The granting of access coincides with the determination that the threat to a user or the user'"'"'s information is not increased should the access be granted.
104 Citations
20 Claims
-
1. A computer-implemented method for managing access to a second resource by sandboxed code included on a client, the method comprising:
-
executing the sandboxed code on the client and allowing operations to execute that adhere to a static security policy;
wherein the sandboxed code has restricted access to resources and other applications;
wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;
wherein the first resource includes an associated first resource policy;determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;
wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;
wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource; comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource;
wherein the resource based policy is stored with the first resource; andproviding the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for managing access to a second resource by sandboxed code included on a client, comprising:
-
on the client executing the sandboxed code on a processor and allowing operations to execute that adhere to a static security policy;
wherein the sandboxed code has restricted access to resources and other applications;
wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;
wherein the first resource includes an associated first resource policy;determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;
wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;
wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource; comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource using a client security system;
wherein the resource based policy is stored with the first resource; andproviding the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-readable storage device medium having stored thereon computer-executable instructions for dynamically managing access to a second resource by sandboxed code included on a client, the computer-executable instructions comprising:
-
executing the sandboxed code on the client and allowing operations to execute that adhere to a static security policy;
wherein the sandboxed code has restricted access to resources and other applications;
wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;
wherein the first resource includes an associated first resource policy;determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;
wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;
wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource; comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource;
wherein the resource based policy is stored with the first resource; andproviding the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy.
-
Specification