[whatwg] Proposal for cross domain security framework
frode at seria.no
Fri Jun 20 04:52:21 PDT 2008
I have a proposal for a cross domain security framework that i think
should be implemented in browsers, java applets, flash applets and
If browsers could connect freely to whichever IP-address they want,
then a simple ad on a highly popular website can be used to trigger
massive DDOS attacks or distributed brute force password attacks etc.
The owner of the server that receives incoming connections must be
able to decide who is able to connect.
The tools available:
The browser. The server. DNS servers.
The browser always know where it downloaded any given script or
applet. It also know which IP-address or host-name the script wants to
connect to. The browser should perform the following check to make
sure that the given script is allowed to connect:
1. Browser downloads a script from server A.
2. Script tries to connect to server B.
3. Browser looks up server B's IP-address.
4. Browser performs a reverse lookup of server B's IP-address and gets
a host name for the server.
5. Browser looks up a special TXT record in the DNS record for Server
B, which states each of the IP addresses/host names that can hosts
scripts allowed to connect.
DNS records are cached multiple places (including at the local
computer), so a DDOS attack attempting to take down DNS servers
probably not succeed.
What do you think?
Seria AS, Norway
More information about the whatwg