[whatwg] Proposal for cross domain security framework
Frode Børli
frode at seria.no
Fri Jun 20 04:52:21 PDT 2008
I have a proposal for a cross domain security framework that i think
should be implemented in browsers, java applets, flash applets and
more.
The problem:
If browsers could connect freely to whichever IP-address they want,
then a simple ad on a highly popular website can be used to trigger
massive DDOS attacks or distributed brute force password attacks etc.
The challenge:
The owner of the server that receives incoming connections must be
able to decide who is able to connect.
The tools available:
The browser. The server. DNS servers.
The method:
The browser always know where it downloaded any given script or
applet. It also know which IP-address or host-name the script wants to
connect to. The browser should perform the following check to make
sure that the given script is allowed to connect:
1. Browser downloads a script from server A.
2. Script tries to connect to server B.
3. Browser looks up server B's IP-address.
4. Browser performs a reverse lookup of server B's IP-address and gets
a host name for the server.
5. Browser looks up a special TXT record in the DNS record for Server
B, which states each of the IP addresses/host names that can hosts
scripts allowed to connect.
DNS records are cached multiple places (including at the local
computer), so a DDOS attack attempting to take down DNS servers
probably not succeed.
What do you think?
Best regards,
Frode Børli
Seria AS, Norway
More information about the whatwg
mailing list