SOMA Firefox Add-On

Latest Release

SOMA Firefox Add-On 1.0.0.2 (released 08/19/2008)

Clicking the link above should install SOMA in your browser. You will need to allow ccsl.carleton.ca to install software on your computer. If you prefer, you can download the xpi file to your computer and then drag the xpi file onto the Firefox browser window to begin the install.

You may wish to view the SOMA test page to test the SOMA add-on once it has been installed. For more explanation on how SOMA works, see below.

The SOMA Firefox Add-On is released under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

How SOMA works

Many current web attacks such as cross site scripting (XSS) and cross site request forgery (CSRF/XSRF) take advantage of the fact that browsers allow all inclusions into web pages without any additional checks. This means that a clever attacker can often find a way to get a page to send information to attacker.com or include a dangerous iframe from there. Or, on the other side, a malicious page might abuse loading content from a legitimate site.

SOMA (Same Origin Mutual Approval) is a policy designed to prevent these unwanted inclusions, thus preventing common web vulnerabilities. The idea is simple: both the site doing the including (the "origin" site) and the site whose content is being included (the "content provider") must approve of the inclusion before the browser does it.

  1. The origin site provides a soma-manifest which lists all the domains from which the site wishes to include. If no soma-manifest is provided, the browser assumes that all domains are allowed (to reflect the way things work currently).
  2. The content provider provides a soma-approval script which takes in the domain of the origin site and sends out a YES if the inclusion is allowed and a NO if it is not. If no soma-approval script is provided, then it is assumed that all responses are YES (to reflect the way things work currently).

Only content which is mutually approved can be included in the page. That means that the domain being included must appear in the origin site's soma-manifest, and the content provider must return a yes when soma-approval is queried. In the case of cross site scripting, the compromised page would try to include things not on the site's manifest, and fail. In the case of cross site request forgery, the content provider can deny access to scripts which change things on their site. Because these policy files are not part of the existing web application, they cannot be as easily compromised as the rest of the site, making it so attackers need to do more than just find a cross site scripting bug if they want to exploit the web site.

SOMA is compatible with existing web applications: it only requires small policy files containing lists of approved domains. SOMA does not need any time-consuming and complex changes within the web application code. Because of the permissive default behaviour, SOMA is incrementally deployable, providing immediate benefits for clients and servers that implement it without breaking existing web pages. And yet, despite its apparent simplicity, SOMA is still powerful enough to prevent many common web attacks such as XSS and XSRF.

More detailed information about SOMA and the SOMA Firefox Add-on can be found in the SOMA papers and presentations listed at the bottom of this page. For the quickest overview of SOMA, you might want to check out the slides from our presentation at ACM CCS.

How the SOMA add-on works

When the SOMA add-on is installed, a small icon will appear in the bottom right hand corner of your browser:

Corner of Firefox browser showing SOMA add-on icon

Clicking on this icon will bring up the options menu. Currently, there is only one option: enabling or disabling SOMA messages. SOMA places messages in the error console (Tools -> Error Console).

If you view our SOMA test page, for example, you should get something that looks like this screenshot of Firefox. The SOMA output to the console will look like this image of the firefox error console, assuming you have SOMA messages enabled. The bottom two messages show SOMA starting up, then there is one message getting the manifest for ccsl.carleton.ca, followed by 3 messages getting (or attempting to get) approvals from the sites listed on the manifest. There are no messages if the manifest is not found.

Contact Us

The authors of the SOMA Firefox Add-On can be reached at {toda,gwurster}@scs.carleton.ca

Publications

T. Oda, G. Wurster, P.C. van Oorschot, A. Somayaji. SOMA: Mutual Approval for Included Content in Web Pages. ACM Computer and Communications Security (CCS'08). Oct. 2008

T. Oda, G. Wurster, P.C. van Oorschot, A. Somayaji. Technical Report TR-08-07, Carleton Univeristy, Apr. 2008. [PDF, HTML]

Presentations

Slides for SOMA: Mutual Approval for Included Content in Web Pages as presented at ACM Computer and Communications Security (CCS'08). Oct. 2008.