Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Web History | Sign in

Patents

A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics, and blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics.

InventorsGuy Podjarny, Ori Segal, Adi Sharabani
Original AssigneeINTERNATIONAL BUSINESS MACHINES CORPORATION
Current U.S. Classification726/22; 709/224; 726/1

View patent at USPTO
Search USPTO Assignment Database

Claims

1. A method comprising:

detecting a request from a first domain to access a second domain;

applying cross-domain access heuristics to determine whether to allow the request, the cross-domain access heuristics defining common ownership characteristics between the first domain and the second domain;

performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics; and

blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics.

2. The method of claim 1 wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain have a common higher-level domain.

3. The method of claim 1 wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain have a common Internet Protocol (IP) address or subnet.

4. The method of claim 1 further comprising:

querying domain registration data for the first domain and the second domain, wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain are registered to a common owner.

5. The method of claim 4 wherein the common owner is determined as a function of similarity between registrants of the first and second domains as members of a common group.

6. The method of claim 1 further comprising:

accessing a cache to determine the common ownership characteristics for the first and second domains; and

initiating a request to a domain resolver for domain data in response to failing to locate the common ownership characteristics for at least one of the first and second domains in the cache.

7. The method of claim 1 further comprising:

enabling and disabling the detecting and applying in response to security settings of a web browser.

8. The method of claim 1 wherein the request is from hypertext transfer protocol (HTTP)-enabled content of the first domain to access HTTP-enabled content of the second domain.

9. The method of claim 1 wherein the access request from the first domain is initiated via one of a: script, frame, embedded media, style sheet, include file, page loading, user action, and links invoked through modules on a page.

10. A system comprising:

a processing system configured to receive content from a first domain; and

a cross-domain access filter executing on the processing system, the cross-domain access filter performing:
detecting a request from the first domain to access a second domain;
applying cross-domain access heuristics to determine whether to allow the request, the cross-domain access heuristics defining common ownership characteristics between the first domain and the second domain;
performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics; and
blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics.

11. The system of claim 10 further comprising:

a web browser executing on the processing system, the cross-domain access filter filtering hypertext transfer protocol (HTTP)-enabled content from the first domain accessed via the web browser.

12. The system of claim 10 wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain have a common higher-level domain.

13. The system of claim 10 wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain have a common Internet Protocol (IP) address or subnet.

14. The system of claim 10 wherein the cross-domain access filter further performs:

querying domain registration data for the first domain and the second domain, wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain are registered to a common owner, the common owner determined as a function of similarity between registrants of the first and second domains as members of a common group.

15. A computer program product comprising:

a storage medium readable by a processing unit and storing instructions for execution by the processing unit for implementing a method, the method comprising:
detecting a request from a first domain to access a second domain;
applying cross-domain access heuristics to determine whether to allow the request, the cross-domain access heuristics defining common ownership characteristics between the first domain and the second domain;
performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics; and
blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics.

16. The computer program product of claim 15 wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain have a common higher-level domain.

17. The computer program product of claim 15 wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain have a common Internet Protocol (IP) address or subnet.

18. The computer program product of claim 15 further comprising:

querying domain registration data for the first domain and the second domain, wherein the cross-domain access heuristics further comprise allowing the request in response to determining that the first domain and the second domain are registered to a common owner.

19. The computer program product of claim 15 further comprising:

accessing a cache to determine the common ownership characteristics for the first and second domains; and

initiating a request to a domain resolver for domain data in response to failing to locate the common ownership characteristics for at least one of the first and second domains in the cache, wherein the cache is one of a local cache and a server cache.

20. The computer program product of claim 15 further comprising:

enabling and disabling the detecting and applying in response to security settings of a web browser, wherein the request is from hypertext transfer protocol (HTTP)-enabled content of the first domain to access HTTP-enabled content of the second domain.

Drawings