Abstract: Context menu item operations pose risks to sensitive data, such as confidentiality violations from data exfiltration during “search” or “translate” communications with external sites, as well as “paste”, “delete”, “move” and other context menu item operations that may harm data integrity or data availability even if no external site is involved. Control scripts injected by a security broker or proxy, working with event listeners in a web page, may be used to monitor and control web browser context menu item displays and functionalities based on suggested or mandated context menu policy actions obtained from a policy server. Policy that is specific to context menus is also enforced in other interactive programs that use context menus, thereby protecting sensitive data against both malevolent efforts and innocent mistakes. Protection may be provided for any kind of sensitive data, regardless of the sensitivity designation criteria or mechanism.

Abstract: A domain is automatically attributed to a cloud application hosted on a cloud service. The attribution of a domain with a cloud application is used to initiate session policies that protect the cloud applications. A security session monitors the operations performed by a user with a cloud application and applies session policies that are pre-configured automated actions used to protect a particular cloud application, such as blocking downloads, blocking modifications, etc.

Abstract: Sharing context between web frames increases consistent application of security policies, without requiring changes to a document object model. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a context in frame creation or frame navigation code. Thus, context such as a domain identification is made available for sharing between the first web frame and a second web frame without altering a document object model of a web page of the first web frame, and without imposing a same-origin policy workaround. Sharing the context allows the proxy to ascertain a policy based on the context, so it can apply the policy in reactions to subsequent requests. Context sharing allows window frames to be associated together in the proxy, and informs browser rendering.

Abstract: Methods and systems are provided for a browser in a client device that receives a user interface script-code snippet from a web page. A chain logic engine determines whether an in-memory map indicates an output value of prior execution of the UI script-code snippet. If the in-memory map does indicate the output value, it is returned from the in-memory map to generate the user interface. If not, the engine determines whether an in-local storage map indicates the prior executed snippet output. If the in-local storage map indicates the prior executed snippet output, it is returned from the in-local storage map to generate the user interface, and it is stored in the in-memory map. If not, the UI script-code snippet is executed to generate the output value, which is used to generate the user interface, and is stored in the in-memory map and in the in-local storage map.

Abstract: Securing inter-frame communication within a web page. First, receipt of a request from a client for accessing a web page document is detected. The request includes a URL that identifies the web page document. The web page document has a tree structure that includes a top parent object and multiple child objects. The multiple child objects include at least a first child object associated with a first domain and a second child object associated with a second domain. The web page document is retrieved from a location corresponding to the URL. The code of the retrieved web page document is then modified to enable secure communication between modified code of the first child object and modified code of the second object. Finally, the modified web page document is sent to the client.

Abstract: Generally discussed herein are devices, systems, and methods for secure cloud application provisioning. A method can include, while providing access to the cloud application, receiving data indicating a first universal resource locator (URL) entered in a search bar of a web browser associated with the cloud application has changed to a second URL, determining whether the second URL has a valid certificate, and in response to determining the second URL is associated with the cloud application and a valid certificate for the second URL exists, providing resources for the second URL and the valid certificate to the web browser or in response to determining the second URL is not associated with the application, re-directing the web browser away from the proxy server.

Abstract: An example inline frame monitor is disclosed. The inline frame monitor injects monitoring logic into a document object model to monitor an activity within a dynamically loaded inline frame of a web page. Data regarding the activity within the dynamically loaded inline frame is received. A policy is applied to validate or invalidate the activity within the dynamically loaded inline frame.

Abstract: Communication between web frames increases consistent application of security policies, without reducing security. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a control frame child creation in frame creation or frame navigation code. The control frame child code only permits setting and retrieving data of a browser store, using postMessage( ) without reference to external resources or external scripts. Safely sharing message data this way between frames allows the proxy to ascertain a policy based on the shared data, so the proxy and browser can apply the policy in reactions to subsequent requests, allows window frames to be associated together in the proxy, allows initialization control, supports reporting, and otherwise enhances browsing without reducing security.

Abstract: Restricting the printing of sensitive electronic documents. After the client downloads a document (e.g., by viewing the document in a web browser), the client intercepts a print command, pauses the print, and issues a print request to a server. From a server perspective, upon receiving the request, the server determines whether the document is print restricted. If not, the print operation is permitted to proceed. If so, the server responds negatively to the print request and alters the document so that, even if printed, sensitive information is not printed. In another embodiment, the server may restrict printing prior to downloading a document. For example, the server may make the document read-only, or replace the document with another printable document that does not contain sensitive content.

Abstract: Restricting the printing of sensitive electronic documents. After the client downloads a document (e.g., by viewing the document in a web browser), the client intercepts a print command, pauses the print, and issues a print request to a server. From a server perspective, upon receiving the request, the server determines whether the document is print restricted. If not, the print operation is permitted to proceed. If so, the server responds negatively to the print request and alters the document so that, even if printed, sensitive information is not printed. In another embodiment, the server may restrict printing prior to downloading a document. For example, the server may make the document read-only, or replace the document with another printable document that does not contain sensitive content.

Abstract: Techniques are disclosed for session control of a client-side native application that utilizes a browser for an authentication process. A login request from the browser is received in a proxy service, which scans the request for a URL redirecting back to the native application. The URL is modified to redirect the login request to a policy endpoint to determine if the request is allowed based on policy applied to the native application and browser. If the request is allowed, the policy endpoint restores the URL redirecting to the native application and bypasses the request to resume normal authentication flow. If the request is prohibited, a failure message is sent to the browser. Some implementations may include injection of browser detection code into the browser to determine which variant of the browser is used and sending the browser data regarding the variant to the policy endpoint for consideration in applying policy.

Abstract: Securing inter-frame communication within a web page. First, receipt of a request from a client for accessing a web page document is detected. The request includes a URL that identifies the web page document. The web page document has a tree structure that includes a top parent object and multiple child objects. The multiple child objects include at least a first child object associated with a first domain and a second child object associated with a second domain. The web page document is retrieved from a location corresponding to the URL. The code of the retrieved web page document is then modified to enable secure communication between modified code of the first child object and modified code of the second object. Finally, the modified web page document is sent to the client.

Abstract: Systems and methods are provided for managing dynamic controls over access to computer resources and, even more particularly, for evaluating and re-evaluating dynamic conditions and changes associated with user sessions. The systems and methods are configured to automatically make a determination as to whether new or additional authentication credentials are required for a user that is already authorized for accessing resources in a user session, in response to triggering events such as the identification of a new or changed condition associated with the user session.

Abstract: Communication between web frames increases consistent application of security policies, without reducing security. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a control frame child creation in frame creation or frame navigation code. The control frame child code only permits setting and retrieving data of a browser store, using postMessage( ) without reference to external resources or external scripts. Safely sharing message data this way between frames allows the proxy to ascertain a policy based on the shared data, so the proxy and browser can apply the policy in reactions to subsequent requests, allows window frames to be associated together in the proxy, allows initialization control, supports reporting, and otherwise enhances browsing without reducing security.

Abstract: Methods, systems, and media are shown for session control by a proxy service of client-side applications in a client. A service request from a client is received by the proxy service and forwarded to a service provider, which sends a service response with a document. Event monitoring code is injected into the document and the response is forwarded to the client. The event monitoring code intercepts a user action and sends a query to the proxy service to determine whether the user action is permitted. The proxy service checks the user action against access data defined for the document and sends a query response to the event monitoring code indicating whether the user action is permitted. If the user action is permitted, the event monitoring code allows normal execution flow. If the user action is denied, the code blocks further execution.

Abstract: A domain is automatically attributed to a cloud application hosted on a cloud service. The attribution of a domain with a cloud application is used to initiate session policies that protect the cloud applications. A security session monitors the operations performed by a user with a cloud application and applies session policies that are pre-configured automated actions used to protect a particular cloud application, such as blocking downloads, blocking modifications, etc.

Abstract: Sharing context between web frames increases consistent application of security policies, without requiring changes to a document object model. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a context in frame creation or frame navigation code. Thus, context such as a domain identification is made available for sharing between the first web frame and a second web frame without altering a document object model of a web page of the first web frame, and without imposing a same-origin policy workaround. Sharing the context allows the proxy to ascertain a policy based on the context, so it can apply the policy in reactions to subsequent requests. Context sharing allows window frames to be associated together in the proxy, and informs browser rendering.

Abstract: A proxy server to receive a request from a client to a webserver and a response corresponding with the request from the webserver to the client is disclosed. The request is wrapped, and a wrapped request is received at the proxy server. The wrapped request is read at the proxy server. Metadata is added to a response corresponding with the wrapped request at the proxy server. The metadata can be based on the read wrapped request or the corresponding response.

Abstract: Techniques are disclosed for session control of a client-side native application that utilizes a browser for an authentication process. A login request from the browser is received in a proxy service, which scans the request for a URL redirecting back to the native application. The URL is modified to redirect the login request to a policy endpoint to determine if the request is allowed based on policy applied to the native application and browser. If the request is allowed, the policy endpoint restores the URL redirecting to the native application and bypasses the request to resume normal authentication flow. If the request is prohibited, a failure message is sent to the browser. Some implementations may include injection of browser detection code into the browser to determine which variant of the browser is used and sending the browser data regarding the variant to the policy endpoint for consideration in applying policy.

Abstract: Methods, systems, and media are shown for session control by a proxy service of client-side applications in a client. A service request from a client is received by the proxy service and forwarded to a service provider, which sends a service response with a document. Event monitoring code is injected into the document and the response is forwarded to the client. The event monitoring code intercepts a user action and sends a query to the proxy service to determine whether the user action is permitted. The proxy service checks the user action against access data defined for the document and sends a query response to the event monitoring code indicating whether the user action is permitted. If the user action is permitted, the event monitoring code allows normal execution flow. If the user action is denied, the code blocks further execution.