Simple access control for post message API in unmodified browsers

Other Title(s)

سيطرة وصول مبسطة لمواجهة postMessage البرمجية على المتصفحات غير المعدلة

Dissertant

al-Ithawi, Umar Muthanna Adnan

Thesis advisor

al-Majali, Sufyan

Comitee Members

al-Mahdi, Nailah
Darwish, Abd Allah
al-Qatawnah, Jafar

University

Princess Sumaya University for Technology

Faculty

King Hussein Faculty for Computing Sciences

Department

Department of Computer Sciences

University Country

Jordan

Degree

Master

Degree Date

2015

English Abstract

Mashup is a web site that combines content from multiple sources.

Where the web site is called the integrator, and other components are the gadgets.

In this thesis, we propose Okra, which is a framework to mediate cross-domain communications in web mashups.

It is an abstraction layer over the low-level postMessage Application Programming Interface (API) to simplify the integration between cross-origin components while maintaining a least privileged communications through whitelisted access control.

This research employs a bottom-up approach in designing the framework through simulation, proof-of-concept and based on existing principles of software security and quality.

This approach aims to make a minimal, but featurefull framework.

Okra aims to be compatible with the majority of the browsers, and to secure itself and the mashup that employs it.

Evaluating the framework showed a moderate performance overhead over the postMessage API.

Okra’s simple API helps in reducing the complexity of defining and consuming interfaces for mashup components.

The access control layer of Okra has been tested against two types of malicious attacks, and no vulnerability have been found.

Main Subjects

Information Technology and Computer Science

Topics

• Data protection
• Computers
• Web sites
• Security measures

No. of Pages

54

Table of Contents

• APA
• MLA
• AMA

Language

English

Data Type

Arab Theses

Record ID

BIM-651094