Method and system for blocking malicious third party site tagging
US-2016323309-A1 · Nov 3, 2016 · US
Endpoint segregation to prevent scripting attacks
US10044728B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10044728-B1 |
| Application number | US-201514792003-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jul 6, 2015 |
| Priority date | Jul 6, 2015 |
| Publication date | Aug 7, 2018 |
| Grant date | Aug 7, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A secure and efficient technique to prevent cross-site scripting attacks based on segregating the content within a given content page among independent endpoints, or servers, where static content is provided from one endpoint and active content is provided from another endpoint. Together, the different endpoints make up an endpoint segregation system. Further, security features of HTTP/HTML are used to restrict sources from which active content may be executed according to the division of static and active content among the endpoints of the endpoint segregation system.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising: a static content endpoint server implemented by one or more hardware computing devices, wherein the static content endpoint server is configured to: receive a content page request from a client application; generate a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint; and provide the content page response to the client application from a static content endpoint that is distinct from the active content endpoint; an active content endpoint server implemented by one or more hardware computing devices, wherein the active content endpoint server is configured to: receive a loader request from the client application for the active content loader, wherein the active content loader is configured to execute at the client application to download, from the active content endpoint, one or more active content files for active content specified for the content page and a filtering pipe for the active content specified for the content page, wherein the filtering pipe is configured to execute at the client application to filter parameters for methods of the active content files prior to the methods executing at the client application; generate a loader response to the loader request, wherein the loader response comprises the active content loader and a second policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint; provide the loader response to the client application from the active content endpoint; receive, from the active content loader at the client application, an active content request for the one or more active content files for active content specified for the content page; generate an active content response to the active content request, wherein the active content response comprises the one or more active content files and the second policy setting that instructs the client application to not execute any active content for the content page unless the source of the active content is the active content endpoint; and provide the active content response to the client application from the active content endpoint. 2. The system of claim 1 , wherein the page is among a plurality of pages accessible from the static content endpoint server, wherein to generate the content page response to the content page request, the static content endpoint server is further configured to: filter the page to remove active content source reference instructions except for the active content source reference that instructs the client application to download the active content loader from the active content endpoint; include the page in the content page response without filtering the page to remove active content; and set the first policy setting within the content page response. 3. The system of claim 1 , wherein the active content endpoint server is further configured to: receive a request from the client application for a template for the content page, wherein the template specifies the active content files for the content page; and provide the template to the client application. 4. The system of claim 3 , wherein the template further specifies method names of the methods of the active content files to be called and parameters to the methods, wherein the filtering pipe obtains the method names and parameters specified in the template in order to filter the parameters prior to the methods executing at the client application. 5. The system of claim 3 , wherein the active content loader provided from the active content server examines the template to determine the active content files to request from the active content endpoint. 6. The system of claim 1 , wherein the active content endpoint server is further configured to: receive a request from the client application for a filtering pipe configuration file corresponding to the content page, wherein the filtering pipe configuration file includes mapping information between the methods of the active content files and filtering methods; and provide the filtering pipe configuration file to the client application; wherein to filter parameters for the methods of the active content files prior to the methods executing at the client application, the filtering pipe is configured to, for each given method of the methods of the active content files: examine the filtering pipe configuration file to determine a filtering method to apply for the given method to be invoked; call the determined filtering method to filter parameters for the given method to generate a filtered set of parameters; and invoke the given method with the filtered set of parameters. 7. The system of claim 6 , wherein to determine the filtering method to apply for the given method of the methods of the active content files, the filtering pipe is further configured to: determine, based on an examination of the filtering pipe configuration file, that no filtering method is mapped to the given method of the methods of the active content files; and determine the filtering method to apply to be a default filtering method. 8. The system of claim 6 , wherein the active content endpoint server is further configured to: receive a request from the client application for the filtering methods; and provide the filtering methods to the client application; wherein a given filtering method of the filtering methods is configured to, in response to being invoked with a method identifier and a suspect set of parameters: apply a whitelist filter to the suspect set of parameters, wherein the whitelist filter is defined based at least on a type of parameters expected for a method corresponding to the method identifier, or identify one or more portions of the suspect set of parameters interpretable by the client application as active content and encode the identified one or more portions to not be interpretable by the client application as active content. 9. The system of claim 1 , wherein to generate the content page response to the content page request, the static content endpoint server is further configured to: generate a Hypertext Transfer Protocol (HTTP) message, wherein the HTTP message includes: a message header specifying the first policy setting as an HTTP content security policy; and a Hypertext Markup Language (HTML) message body including the page. 10. The system of claim 1 , wherein to generate the content page response to the content page request, the static content endpoint server is further configured to: insert a Hypertext Markup Language tag within the page specifying the first policy setting as a Hypertext Transfer Protocol content security policy. 11. A method, comprising: performing by one or more servers of a static content endpoint, in response to receiving a content page request from a client application: generating a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not e
Assignees
Inventors
Classifications
Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks · CPC title
by securing the transmission between two devices or processes · CPC title
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
- H04L63/105Primary
Multiple levels of security · CPC title
Assessing vulnerabilities and evaluating computer system security · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10044728B1 cover?
- A secure and efficient technique to prevent cross-site scripting attacks based on segregating the content within a given content page among independent endpoints, or servers, where static content is provided from one endpoint and active content is provided from another endpoint. Together, the different endpoints make up an endpoint segregation system. Further, security features of HTTP/HTML are…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/105. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 07 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).