The protection model of the World Wide Web and cooperating web browsers is generally governed by the Same-Origin Policy (SOP). Typically, SOP provides a domain or site-based isolation on the browser side, preventing code of one domain from accessing any resources belonging to another domain.
Unfortunately, SOP has been constantly violated. Such violations could be due to Cross Site Scripting (XSS) vulnerabilities in Web services, which enable maliciously injected scripts to unrightfully run with the privilege of the domain of the Web service. The violations could also be exploiting cross-domain browser vulnerabilities that are often due to the complex browser logic such as navigation, scripting, user event handling, etc. The compromise of SOP can be detrimental and can result in damages, such as information theft, Web server intrusions, and vandalism.
Other current practices such as secure sockets layer (SSL) are not excepted from the vulnerabilities of SOP. Despite the end-to-end authentication and encryption in an SSL session, a SOP compromise can cause an unauthenticated, malicious script to run in the name of the hypertext transfer protocol secured (HTTPS) domain. With current practices, SOP violations can be widespread contributing significantly to security vulnerabilities. Cross-domain vulnerabilities are sometime called “universal XSS” bugs. In this context, when a browser contains these types of bugs, webpages from other websites are also vulnerable to SOP attack, as if the websites contained XSS bugs. Cross-domain bugs are not browser agnostic and affect various commercially available web browsers including but not limited to Internet Explorer (IE), Firefox, Opera and Netscape Navigator.
Generally, it is difficult to anticipate all possible SOP vulnerabilities in today's Web services. Stated differently, the combined complexity of client mashups, server software and the browser can be unmanageable. Given the nature of SOP attacks, as long as an SOP vulnerability exists in any point of this complex system, a malicious script can subvert the entire victim domain. Generally, current practices do not provide effective, efficient, and repeatable mechanisms/operations to allow for the management of domain operations to mitigate and/or eliminate the effects of an SOP attack.
From the foregoing it is appreciated that there exists a need for systems and methods to ameliorate the shortcomings of existing practices.