The present invention relates to service provision. The present invention relates in particular, but not exclusively, to service provision between web browsers and web servers where the web server is provided on a mobile device such as a smartphone.
A web browser operates to enable display of, and user interaction with, information provided by a web server. Typically the web browser and web server are connected via the internet and/or other networks such as a local area network. Typically the web browser is an application operating as part of user equipment such as a personal computer, and the web server is located remotely under the control of a separate party and provides a website. One example of a web browser is “Internet Explorer” (trademark) provided by Microsoft (trademark).
Web browsers may be implemented as software. So-called web browser plug-ins may be added to, or operated by, an existing web browser to provide additional functionality to the web browser. Web servers are also implemented in some mobile devices, such as for example smartphones.
Normally web browsers only make it possible for a web application sourced from a site to communicate with the web site from which the application originated. However various methods exist that allow web applications to communicate with multiple web sites. These methods include loading images from other web sites, and sourcing <script> tags from the other web sites. Some web applications use cross-site scripting occurs to offer services that cannot be offered in the usual way and can therefore offer useful and novel services to users. For example, we have developed web services that run on smartphones (such as the iPhone, and similar Blackberry and Nokia products) which offer web server functionality, the web services providing access to mobile device-held content, such as contacts, call log, sms messages and location information (GPS info, cell info, wifi access point info, etc.) and which may also allow the initiation of actions such as initiating calls, sending SMS messages, etc. The present invention has especial application to such web services. In particular it is contemplated that an API be published relating to such services, so that internet site authors know in advance that such services from such phones are possible, and so code authored websites to the published API. Our system provides a UPnP-based discovery mechanism to alert the browser of a first device (a computer, such as a laptop, or an IP router, Desktop computer, network storage device, etc.) that a compatible phone has been physically connected to the LAN (or is within close proximity where the first device and the phone can communicate wirelessly) so that the website can then start the authentication process.
Allowing cross site scripting does however open up a number of security risks. Indeed it has been reported that the well-known computing and Internet security company Symantec found that in 2007 cross site scripting vulnerabilities accounted for some 80% of all the security vulnerabilities found.
Security processes for access between plural entities are known, for example as disclosed in EP 1 903 741 (A1), WO 03098563 (A2) and IE 20020438 (A2).
Known security processes do not however alleviate risks presented to a device (e.g. a mobile device) with a web server when accessed by a web browser that is involved in cross-site scripting from web servers other than the device's web server or other operations involving plural web servers other than the device's web server. So the aforementioned web services which we have developed which rely on cross site scripting to, for example, a smart phone, will preferably be provided with some security mechanism(s) to reduce the threat posed by cross site scripting attacks.
The present invention seeks to address this problem.
In a first aspect the present invention provides a method of service provision, comprising: a web browser, running in a first communications device, running a script that is from a remote source; sending, from the first communications device to a second communications device, a service request for a service required by the script running on the web browser; sending a user authorisation request from the second communications device to the first communications device; the first communications device obtaining authorisation from a user of the first communications device; sending a user authorisation from the first communications device to the second communications device; and the second communications device providing the requested service only if the user authorisation is received.
In a further aspect the present invention provides a method for a first communications device to request a service from a second communications device; comprising: a web browser, running in a first communications device, running a script that is from a remote source; the first communications device sending, to a second communications device, a service request for a service required by the script running on the web browser; the first communications device receiving a user authorisation request from the second communications device; the first communications device obtaining authorisation from a user of the first communications device; and the first communications device sending a user authorisation to the second communications device.
In a further aspect the present invention provides a method for a second communications device to respond to a service request from a first communications device, comprising: the second communications device receiving, from the first communications device, a service request for a service required by script running on a web browser running in the first communications device; the second communications device sending a user authorisation request to the first communications device; the second communications device receiving a user authorisation from the first communications device; and the second communications device providing the requested service only if the user authorisation is received.
The second communications device may determine whether user authorisation is required for the service; and the user authorisation request may be sent from the second communications device to the first communications device only if the second communications device determines that user authorisation is required for the service.
The user authorisation may comprise an approval of the service request encrypted with a password known to the first communications device and the second communications device.
The remote source may be a remote web server.
A web server running in the second communications device may receive the service request and the user authorisation.
If the second communications device performs the requested service, a service product may be produced which is forwarded to the first communications device.
The second communications device may be a smartphone.
In a further aspect the present invention provides a storage medium storing processor-implementable instructions for controlling one or more processors to carry out any of the above aspects.
In a further aspect the present invention provides a service provision system, comprising a first communications device and a second communications device; the first communications device being adapted to run, on a web browser running in the first communications device, a script that is from a remote source; the first communications device further being adapted to send, to the second communications device, a service request for a service required by the script running on the web browser; the second communications device being adapted to send a user authorisation request to the first communications device; the first communications device further being adapted to obtain authorisation from a user of the first communications device; the first communications device further being adapted to send a user authorisation to the second communications device; and the second communications device further being adapted to provide the requested service only if the user authorisation is received.
In a further aspect the present invention provides a first communications device for requesting a service from a second communications device, the first communications device comprising: a web browser adapted to run a script that is from a remote source; wherein: the first communications device is adapted to send, to the second communications device, a service request for a service required by the script running on the web browser; the first communications device is further adapted to receive a user authorisation request from the second communications device; the first communications device is further adapted to obtain authorisation from a user of the first communications device; and the first communications device is further adapted to send a user authorisation to the second communications device.
In a further aspect the present invention provides a second communications device for responding to a service request from a first communications device; the second communications device being adapted to receive, from the first communications device, a service request for a service required by script running on a web browser running in the first communications device; the second communications device further being adapted to send a user authorisation request to the first communications device; the second communications device further being adapted to receive a user authorisation from the first communications device; and the second communications device further being adapted to provide the requested service only if the user authorisation is received.
The second communication device may be further adapted to determine whether user authorisation is required for the service; and the user authorisation request may be sent from the second communications device to the first communications device only if the second communication device determines that user authorisation is required for the service.
The user authorisation may comprise an approval of the service request encrypted with a password known to the first communications device and the second communications device.
The remote source may be a remote web server.
A web server running in the second communications device may be adapted to receive the service request and the user authorisation.
The second communications device may be further adapted to produce a service product if the second communications device performs the requested service, and may be further adapted to forward the service product to the first communications device.
The second communications device may be a smartphone.
In a preferred embodiment the invention is configured to allow a user of a device such a computer (e.g. a laptop) to grant access from internet web sites browsed on the computer to web services provided by a mobile device (such a smartphone). The computer hosts a browser which is provided with a security module (such as a plug-in or browser helper object). The mobile device is where the service resides and is where the security verification is applied. The mobile device is not authenticating access to the Internet web sites. Using a means of secure access, such as a username and password, known to the user and the mobile but not known to the PC browser applications (other than the secure plug-in). Typically, the interface to the mobile device will be provided by HTTP it is preferable to add user authentication and application identity verification information to each web request. This is the purpose of the plug-in which is to verify the application i.d. (i.e the actual referrer url—that is the URL of the site from which comes the script which is seeking access to a service offered by the mobile device), provide the GUI to the user to gain the username and password, interact with the mobile server to obtain dynamic information (nonce, request count)) and calculate the appropriate authentication information. The plug-in and mobile share a private key so that they can mutually authenticate each other as real plug-in and real server.