Materials

You can use the L23 slides (pdf) to take notes.

L23 annotated slides (pdf) from lecture have my drawings.

Please see piazza@439 for a link to the recorded video.

Summary

1. How does HTTP work? It is a stateless protocol that runs over TCP (and TLS) consisting of a handful of commands, such as GET, POST, etc. It is mainly used to transfer HTML (hypertext markup language) documents.

2. HTML pages are hierarchical and can be abstracted into a DOM (document object model), javascript is a scripting language that runs in the same context as an HTML page. The javascript can manipulate or change the DOM to allow for basic interaction on a webpage. This Javascript also introduces security vulnerabilities.

3. Important goals for browser design is to support strong isolation. What does this mean?

4. The principle method for isolation is based on a “same origin policy” for pages. A page can only access/manipulate resources that belong to the same origin (with a small number of exceptions).

5. Although HTTP is stateless, the “web experience” usually requires sessions and state. (Give a concrete example why.) Implementing state can be done in many ways, but browser cookies are the most popular.

6. How does a cookie work? Your browser receives instructions from an HTTP server to set a cookie; on future fetch requests to that same origin, your browser automatically includes all cookies for that origin.

7. Handling cookie authentication, etc., is important. For one, cookie information that handles session management should be unpredictable to an attacker. What crypto primitives can be used to achieve this property?

8. This cookie processing introduces an attack: the cross-site request forgery attack.