Website developers frequently utilize software controls to provide specialized functionality to web applications. Generally, a software control (hereinafter, “control”) is defined as program instructions that manage data-handling tasks. Controls are typically reusable software components in binary form that can be plugged into other software components with relatively little effort. For example, a stock ticker control may be used to add a live stock ticker to a web page, or an animation control can be used to add animation features to a web page.
Controls may be downloaded to a Client computer together with the web pages that invoke them. Once a control is downloaded by a web page, it remains on the Client computer. Subsequent execution of the web page will execute the control without requiring the control to be downloaded again. However, other web pages may also invoke the control, even though the control was not downloaded with that web page. This invocation may even be accomplished without the user's knowledge.
This can lead to exploitation of the control by an unauthorized user. The unauthorized user may use the control for something other than its intended function, or use the control function in a manner contrary to the intended use of the control function. The results of such exploitation can be loss or corruption of data, exposure of sensitive materials, or other security compromises.
As an example of how serious this exploitation can be, consider a user who downloads a control that accesses banking software on the user's computer. The user trusts the author of the control and the website, and uses the control according to its intended function. But when the user has finished using the control, the user may not even be aware that the control and its functionality remain on the user's computer. Thereafter, a web page set up by a hacker and accessed by the user may invoke the control and gain access to the user's banking software. The hacker may then have the ability to write unauthorized checks on the user's account, transfer funds electronically from the account, and so on.
To help combat this problem, signed controls have been developed. Signed controls contain a digital signature that uniquely identifies the author of the control. When the signed control is accessed, the control is authenticated by the downloading computer. Once authenticated, a determination is made as to whether the author of the control is an authorized source for controls. If so, the control may be invoked. However, this verification is only made when the control is initially downloaded. Once the user downloads the control, the control may be invoked by any other application without authorization from the user.
In addition to signed controls, the notion of trusted sites has been utilized whereby a user may confidently use a control downloaded from certain user-identified sites. Again, however, the problem remains that once a user has authorized the download of a control, the user can no longer safeguard against unauthorized use of that control.
Some operating systems, such as the WINDOWS family of operating systems produced by MICROSOFT CORPORATION, provide a feature whereby a control writer can specifically mark a control as being “safe” to avoid having to perform additional steps each time the control is used. A control can only be marked as safe if no other web site could possibly use the control in an unsafe manner. Once the control is marked as safe, it can be invoked without further precautionary measures being taken.
It is desirable to mark a control as safe so that a computer user can be confident that the control can be downloaded without causing harm to the user's computer. However, many valuable controls that can be safely invoked cannot be marked as safe because they do not satisfy the requirement that they cannot be used in an unsafe manner. These controls must be marked as “unsafe” even though they can be invoked in a safe manner. This is problematic in that a user may not download such a control simply because it is marked as unsafe, since the user does not know the exact reason that the control has been marked as unsafe. Such an unsafe designation may cause unnecessary apprehension and inconvenience to the user.
The implementations described herein overcome this disadvantage and allow a control writer to mark a control as safe, since malicious web pages will be prevented from invoking the safe control in an unsafe manner.