The Field of the Invention
The present invention relates to security techniques that prevent unauthorized access to client computer resources when accessing the Internet. In particular, the present invention relates to systems, methods and associated data structures that enable a client computer to regulate the manner in which scripts received from the Internet are capable of accessing objects defined at the client computer.
In recent years, there has been a tremendous increase in the use of the Internet, especially the World Wide Web (“the web”). A client computer having access to the Internet can download digital information from server computers connected to the Internet. Client application and operating system software executing on client computers typically accept commands from a user and obtain data and services by sending requests to server applications running on server computers connected to the Internet.
Hypertext Transport Protocol (“HTTP”) is commonly used to transport web documents from web sites operated by remote servers to client computers. A web site may use one or more web servers that store and distribute documents in one of a number of formats including the Hyper Text Markup Language (HTML). An HTML document can contain text, graphics, audio clips, and video clips, as well as metadata or commands providing formatting information. HTML documents also can include embedded links that reference other data or documents located on a remote web site, the local computer or network server computers thereby providing convenient access to the referenced data.
When accessing information over the web, client computers typically operate a client application, software component or operating system utility referred to as a web browser. The browser establishes a user interface by which the text, graphics, audio, video, and other types of retrieved information is communicated to the user.
Client computers that access web sites can be conventional personal computers. Alternatively, client computers can be set-top boxes that display web documents on a conventional television, one example being WebTV set-top boxes developed by WebTV Networks, Inc. of Mountain View, Calif. Set-top boxes capable of accessing the Internet bring a new dimension to television viewing. For instance, a web server can deliver to the set-top box information relating to television programming that enhances regular television content. Moreover, viewers can be referred to web sites that have information relating to a particular television program.
The practice of embedding executable scripts in web documents has become increasingly common. Scripts are software components or short pieces of executable code that perform a designated function with respect to the document displayed by the browser or another feature of the client computer. For example, scripts are widely used to modify the appearance of text or graphics displayed on the browser in response to input provided by the user. As a result, scripts represent one technique for establishing interactivity between the user and the document displayed by the browser. JavaScript and VBScript are examples of commonly-used languages by which scripts are encoded in web documents. When a browser receives a web document, it processes the information encoded therein, including executing any scripts that are encountered.
Occasionally, scripts received by a client computer from a web server perform operations that are not desired by the user. This may occur either because the script developer intentionally designed the script to perform a malicious operation or because a bug in the script causes an unwanted result. One way in which browsers have addressed the problem of undesirable operations being performed by scripts is to notify the user prior to executing scripts. For example, the browser can generate a dialog window each time a script is to be executed. The script is executed only if the user expressly grants permission. This approach can result in the user being repeatedly asked to grant permission to execute scripts. Faced with frequent interruptions, a user may respond hastily and improperly.
A more flexible technique for controlling the execution of scripts, and one which has been successful in dealing with the problems that it was designed to address, has been used in connection with the Internet Explorer developed by Microsoft Corporation of Redmond, Wash. In particular, current versions of the Internet Explorer exhibit a feature known as security zones, whereby executable code embedded in web documents is selectively executed or not executed, depending on the security level, or security zone, to which the originating web site is assigned. Using Internet Explorer security zones, a web site is assigned to one of the multiple zones by referencing the web site's universal resource locator. When the client system is to perform an operation based on a script embedded in a web page from a particular web site, the client system refers to the security zones to determine the security level associated with the web site. If the web site is associated with a security zone that grants permission to execute scripts, the client system executes the script; otherwise, the script is not executed. This technique for regulating the execution of scripts is an all or nothing approach. In other words, depending on the security zone to which a particular web site is assigned, either all or none of the scripts originating from the particular web site are authorized to be executed.
During recent years, the complexity of the interaction between scripts and the client computer environment has increased. Scripts often request access to objects at the client system that control properties or features of the browser or other components of the client system. For instance, controls defined according to the ActiveX specification developed by Microsoft Corporation represent one example of objects that can be accessed by scripts received by client computers from web servers. By accessing and modifying ActiveX controls and other objects, scripts are capable of modifying the appearance of a document displayed to the user, controlling features of the browser, and controlling other components of the client system.
Conventional systems cannot reliably and flexibly grant scripts access to individual objects defined at a client system. Without a sufficiently secure access control system, a malicious web site could take control of a set-top box from a user by manipulating an object that controls a tuner of the set-top box, thereby effectively blocking the user's commands. Similarly, one could imagine that an unauthorized web site could mimic a set-top box billing web site to stealing credit card numbers or other sensitive information. In general, without a reliable access control system, scripts might gain access to objects at the client that define any of various types of properties, such as Internet dialing properties, enhanced television services, etc.
The full capabilities of accessing objects at client computers using scripts have not been completely realized because conventional access security systems, such as those described above, are not sufficiently flexible to adapt to the varied scripts and web sites that might attempt to access objects. For example, a particular web site might be trusted to change Internet dialing properties, but not trusted to change other properties at the client system. Conventional access security systems have not been capable of applying access control criteria to scripts with sufficient selectivity so as to allow a script originating at the web site to modify Internet dialing properties, while preventing the script from modifying other objects or properties at the client computer. Thus, it would be desirable to provide access control systems that allow scripts to access only certain objects and that operate with any desired degree of selectivity. Such access control systems would enable remote web sites to control properties and features of clients while preserving the security of clients.