A technique for securely rendering content downloaded over a network includes parsing a downloaded web page into a DOM (Document Object Model) tree and splitting the DOM tree into multiple DOM instances, where each DOM instance is dedicated to a respective type of web content. The technique processes each DOM instance using a respective render engine, which implements the security policy on the respective type of web content by blocking or altering content, and/or by limiting functionality that may be used in connection with the content.

Examples are disclosed related to presenting on a client device configured for a first digital rights management technology (DRM-1) content that is protected by a second digital rights management technology (DRM-2). One example provides a computing device configured to receive a request from an application for a DRM-2 license acquisition challenge, forward the request to a DRM-2 license acquisition challenge generator, receive a DRM-2 license acquisition challenge and DRM-2 state information, send the DRM-2 license acquisition challenge to the application, receive, from the application, a DRM-2 license acquisition response, generate a DRM-1 license acquisition challenge incorporating the DRM-2 license acquisition challenge, the DRM-2 license acquisition response, and the DRM-2 state information, send the DRM-1 license acquisition challenge to a remote DRM-1 license acquisition server, receive a DRM-1 license acquisition response comprising a key and a license policy, enforce the license policy for content protection, and decrypt content using the key.

Isolating an iframe of a webpage. In one embodiment, a method may include targeting an iframe in a webpage for isolation, executing, in a server browser, iframe code, sending, from the remote isolation server to the local client, the webpage with the iframe code of the iframe replaced with isolation code, executing, in a client browser, webpage code and the isolation code, intercepting, in the client browser, webpage messages sent from the webpage code and intended to be delivered to the iframe, sending, to the remote isolation server, the intercepted webpage messages to be injected into the iframe code executing at the server browser, intercepting, at the server browser, iframe messages sent from the iframe code and intended to be delivered to the webpage, and sending, to the local client, the intercepted iframe messages to be injected into the webpage code executing at the client browser.

A technique for verifying an origin of a digital object in a digital object architecture is described. The technique includes the steps of receiving, from a handle registry, handle information for a digital object that includes an attestation that references the handle identification value for the handle and origin identification information; verifying the authenticity of the attestation; after verifying the authenticity of the attestation, using the origin information in determining authorizations applicable to the digital object.

Authentication translation is disclosed. A request to access a resource is received at an authentication translator, as is an authentication input. The authentication input corresponds to at least one stored record. The stored record is associated at least with the resource. In response to the receiving, a previously stored credential associated with the resource is accessed. The credential is provided to the resource.

Systems and methods for dynamically restricting rendering of unauthorized content included in information resources are provided herein. A computing device can identify an information resource including a content object specifying one or more graphical characteristics. The computing device can determine that the content object corresponds to a restricted content object by applying at least one of an action-based detection policy to detect actions performed on the information resource or a visual-based detection policy to detect the graphical characteristics of the content object. The computing device can modify by applying a content rendering restriction policy the information resource to alter rendering of the content element on the information resource responsive to the determination.

A threat detection method and apparatus, and a network system are disclosed. The threat detection apparatus obtains page code of a first display page group identified by the URL and an overall size occupied by the first display page group in a display area of the browser when loading a URL in a browser of a Web sandbox; inject preset dynamic code into the page code of the first display page group; parses and executes the page code that includes the preset dynamic code; sends a request message when a value of a display variable is greater than or equal to a preset value, to request to obtain page code of a second display page group; receives a response message that carries the page code of the second display page group; and detects in the Web sandbox, whether the page code of the second display page group carries attack code.

The innovation disclosed and claimed herein, in one aspect thereof, comprises a management system and method of handling unpatched users. When a user requests to access their user account or a network, the user is checked for type of browser the user is being used and which version of the browser is being used. If the user is using an unsecured or unpatched browser, the system offers to update the browser software or provide a virtual machine through the browser so that malware cannot transfer from the user computer to the network. The virtual machine can provide a virtual keyboard to protect the user's login credentials from a key logger. The user logs into the user account within the virtual machine.

A system and method enabling an entity to prove its identity and provide authentic documents/data/information therein at any time required based upon data retrieved from an independent cryptographically verifiable source (ICVS) through a secured channel is disclosed. The system enables a virtual and secure browser on a user computing device allowing a user to login and retrieve authentic information pertaining to the user from the ICVS in a verifiable and untamperable manner. The retrieved information is bounded with origination information of the ICVS and the bounded information is provided to relying entities as authentic information for verification. Also, cryptographic value of the authentic information can be stored in an immutable storage such as blockchain, so that the cryptographic value is used by the relying-party to validate integrity of the authentic information.

Parental control of child's web-based digital content experience, which can be applied to other contexts such as education, the workplace or other organizations. Trust relationships authorize specified users or organizations to permit access to content or resources by other users. Collection curation including content reputation and age appropriate ratings disclosed.