Abstract: In some embodiments, a collaboration feature overlays a web application by receiving a network communication that was redirected from the web application by a suffix proxy. The collaboration feature supplements or replaces activity of the web application by maintaining per-user-account activity states, deriving a shared collaboration state from the activity states, and supplying the shared collaboration state to multiple user accounts. The collaboration feature is installed without modifying the web application. The collaboration feature provides user accounts with a collaboration capability, such as shared document editing, chat rooms, shared calendars, or shared private workspaces. Some collaboration features overlay multiple web applications, even from different vendors, and some collaboration features support posting collaboratively created content to a website even when some contributors to the content are not registered users of the website.

Abstract: In one or more examples, a network proxy agent runs inside an isolated (e.g. sandboxed or virtualized) execution environment and a non-isolated application (e.g., web browser) instance runs outside of the isolated execution environment. The network proxy agent acts as a proxy in the sense that network traffic to and from the application instance is routed through the network proxy agent, and thus via the isolated execution environment. A content access policy is supplied to the content access policy agent, and the content access policy agent enforces the content access policy inside the isolated execution environment in relation to the network traffic. For example, content from a certain resource may be restricted according to the content access policy, in which case content requested from that resource is contained within the isolated environment, and replacement content is served to the non-isolated application instance instead.

Abstract: In some embodiments, a collaboration feature overlays a web application by receiving a network communication that was redirected from the web application by a suffix proxy. The collaboration feature supplements or replaces activity of the web application by maintaining per-user-account activity states, deriving a shared collaboration state from the activity states, and supplying the shared collaboration state to multiple user accounts. The collaboration feature is installed without modifying the web application. The collaboration feature provides user accounts with a collaboration capability, such as shared document editing, chat rooms, shared calendars, or shared private workspaces. Some collaboration features overlay multiple web applications, even from different vendors, and some collaboration features support posting collaboratively created content to a website even when some contributors to the content are not registered users of the website.

Abstract: The disclosure is generally directed towards a client device agent (e.g., a network agent) learning that a service domain is authenticated via a corresponding suffix proxy domain. The network agent may then direct a service domain request to the suffix proxy domain. The learning process generally involves evaluating headers in URL redirection communications between the client device and an authentication service, such as an identity provider (IDP). Based on a session control policy, the IDP may “bounce” the user to a proxy service (e.g., a suffix proxy). Accordingly, the IDP may include a “bouncer”. The network agent generally learns from the headers that a request to a service domain gets redirected (e.g., bounced) to a suffix proxy domain. The agent intercepts subsequent requests to the service domain, updates the request URL, and sends the updated request to the suffix proxy domain.

Abstract: In one or more examples, a network proxy agent runs inside an isolated (e.g. sandboxed or virtualized) execution environment and a non-isolated application (e.g., web browser) instance runs outside of the isolated execution environment. The network proxy agent acts as a proxy in the sense that network traffic to and from the application instance is routed through the network proxy agent, and thus via the isolated execution environment. A content access policy is supplied to the content access policy agent, and the content access policy agent enforces the content access policy inside the isolated execution environment in relation to the network traffic. For example, content from a certain resource may be restricted according to the content access policy, in which case content requested from that resource is contained within the isolated environment, and replacement content is served to the non-isolated application instance instead.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: The disclosure is directed towards providing resource providers, identity service providers (IDPs), and proxy services the ability to continuously evaluate one or more (temporally varying) conditions for which a user's permissions to access resources of the resource provider is dependent upon. The disclosure provides various mechanisms for continuous access evaluation (CAE), such that the finite lifetime of an access token (AT) does not temporally quantize the ability to limit (or otherwise update) a client's access to the resource provider when conditions change that would otherwise change the client's permissions.

Abstract: The disclosure is generally directed towards a client device agent (e.g., a network agent) learning that a service domain is authenticated via a corresponding suffix proxy domain. The network agent may then direct a service domain request to the suffix proxy domain. The learning process generally involves evaluating headers in URL redirection communications between the client device and an authentication service, such as an identity provider (IDP). Based on a session control policy, the IDP may “bounce” the user to a proxy service (e.g., a suffix proxy). Accordingly, the IDP may include a “bouncer”. The network agent generally learns from the headers that a request to a service domain gets redirected (e.g., bounced) to a suffix proxy domain. The agent intercepts subsequent requests to the service domain, updates the request URL, and sends the updated request to the suffix proxy domain.

Abstract: Techniques for implementing systems using transactional version sets are described. Transactional version sets or t-sets include a collection of elements, each having a collection of metadata. A t-set is transactional in that a sequence of updates to one or more t-sets are made within an atomic transaction. A t-set is versioned since each committed transaction that updates it produces a new timestamped version that can be accessed via time-travel queries.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: According to examples, an apparatus may include a processor that may identify a navigation event responsive to a URL being entered into an address bar of a web browser, the URL having a domain and a URL component, and may determine whether the web browser received an instruction to navigate to a return URL, in which the return URL includes a suffix domain for a proxy and does not include the URL component. The processor may also, based on a determination that the web browser received the instruction to navigate to the return URL, generate a modified URL by appending the suffix domain to the URL to restore context of the URL for the proxy and navigate the web browser to the modified URL.

Abstract: Securing inter-frame communication within a web page. First, receipt of a request from a client for accessing a web page document is detected. The request includes a URL that identifies the web page document. The web page document has a tree structure that includes a top parent object and multiple child objects. The multiple child objects include at least a first child object associated with a first domain and a second child object associated with a second domain. The web page document is retrieved from a location corresponding to the URL. The code of the retrieved web page document is then modified to enable secure communication between modified code of the first child object and modified code of the second object. Finally, the modified web page document is sent to the client.

Abstract: Securing inter-frame communication within a web page. First, receipt of a request from a client for accessing a web page document is detected. The request includes a URL that identifies the web page document. The web page document has a tree structure that includes a top parent object and multiple child objects. The multiple child objects include at least a first child object associated with a first domain and a second child object associated with a second domain. The web page document is retrieved from a location corresponding to the URL. The code of the retrieved web page document is then modified to enable secure communication between modified code of the first child object and modified code of the second object. Finally, the modified web page document is sent to the client.

Abstract: Methods, systems, and media are shown for providing a reverse proxy system with SSO capability involving receiving an authentication response message from a client that includes an authentication token and a unique session identifier and determining whether the identifier is stored on the proxy service. If the session identifier is stored on the proxy service, sending the authentication response message to a service provider to which the authentication response message is directed. If the session identifier in the authentication response message is not stored on the proxy service: sending a login request message to the service provider to which the authentication response message is directed, receiving an authentication request message from the service provider that includes an other unique session identifier and redirects the authentication request message to an identity provider, storing the other session identifier, and sending the authentication request message with the other identifier to the client.

Abstract: A proxy server to retrieve a web address received from a client to a webserver is disclosed. The proxy server can include a reverse proxy server. The web address is converted into proxy address at the proxy server. The proxy address is wrapped into a wrapper domain with a wrapping frame.

Abstract: A proxy server to retrieve a web address received from a client to a webserver is disclosed. The proxy server can include a reverse proxy server. The web address is converted into proxy address at the proxy server. The proxy address is wrapped into a wrapper domain with a wrapping frame.

Abstract: Methods, systems, and media are shown for providing a reverse proxy system with SSO capability involving receiving an authentication response message from a client that includes an authentication token and a unique session identifier and determining whether the identifier is stored on the proxy service. If the session identifier is stored on the proxy service, sending the authentication response message to a service provider to which the authentication response message is directed. If the session identifier in the authentication response message is not stored on the proxy service: sending a login request message to the service provider to which the authentication response message is directed, receiving an authentication request message from the service provider that includes an other unique session identifier and redirects the authentication request message to an identity provider, storing the other session identifier, and sending the authentication request message with the other identifier to the client.