Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Securing JavaScript applications within theSpotify web player
KTH, School of Computer Science and Communication (CSC).
2014 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesisAlternative title
Säkra JavaScriptapplikationer i Spotifys webbspelare (Swedish)
Abstract [en]

Developing bug free software is extremely difficult and bugsin a web application can easily lead to security vulnerabilities.Building APIs and opening up your platform has beenproven to add a lot of business value and Spotify has recentlyreleased a JavaScript API that allows third partydevelopers to develop applications for the Desktop basedmusic player.In this thesis we design new security mechanisms forSpotify’s web-based music player in order to make it morerobust against attacks stemming from code injection and,potentially malicious, third party developers.We do this by designing a secure way for transferringthird party application metadata via untrusted JavaScriptcode and implementing the Content-Security-Policy, a relativelynew web standard, for third party applications andthe web player itself.We then propose additions to the Content-Security-Policy web standard that could further improve the securityof modern web applications.

Abstract [sv]

Säkra JavaScriptapplikationer i SpotifyswebbspelareAtt utveckla buggfri programvara är extremt svårt och buggari en webapplikation kan enkelt leda till säkerhetsluckor.Att bygga APIer och öppna upp sin plattform har tidigarevisat sig lönsamt och Spotify har nyligen släppt ettJavaScript API som tillåter tredjepartsutvecklare att utveckaapplikationer till dess Desktop-baserade musikspelare.I detta examensarbete designar vi nya säkerhetsmekanismerför Spotifys web-baserade musikspelare för att göraden mer robust mot attacker som kan uppstå från kodinjiceringeller en, potentiellt illasinnad, tredjepartsutvecklare.Vi uppnår detta genom att designa ett säkert sätt attförflytta metadata för tredjepartsapplikationer via opålitligJavaScriptkod och genom att implementera den relativtnya webbstandarden Content-Security-Policy för både tredjepartsapplikationersåväl som webbspelaren själv.Vi föreslår sedan tillägg till Content-Security-Policywebbstandardensom kan höja säkerheten hos moderna webapplikationer

Place, publisher, year, edition, pages
2014.
National Category
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-153759OAI: oai:DiVA.org:kth-153759DiVA: diva2:753576
Examiners
Available from: 2014-11-24 Created: 2014-10-08 Last updated: 2014-11-24Bibliographically approved

Open Access in DiVA

fulltext(1073 kB)1524 downloads
File information
File name FULLTEXT01.pdfFile size 1073 kBChecksum SHA-512
09dd30a7e66f727d93aa7bac22024a813c8b9568e1e91b8ef980e5600ae1fed6e4bda9e392714da480ed7e5fef9393df6ad819b7ed27c02891dbdb420edbf54a
Type fulltextMimetype application/pdf

By organisation
School of Computer Science and Communication (CSC)
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 1524 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 280 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf