Extending the Same Origin Policy with Origin Attributes

@inproceedings{Vyas2017ExtendingTS,
  title={Extending the Same Origin Policy with Origin Attributes},
  author={Tanvi Vyas and Andrea Marchesini and Christoph Kerschbaumer},
  booktitle={ICISSP},
  year={2017}
}
The Same Origin Policy (SOP) builds the foundation of the current web security model. [] Key Method Instead of spending considerable engineering effort to patch the browser for every new specification that proposes to extend the SOP, we re-design a web browsers architecture and build Origin Attributes directly into a browsers rendering engine. Our implementation allows any specification or web technology to integrate into Origin Attributes with minimal engineering effort and reduces the risk of jeopardizing…

Figures and Tables from this paper

What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem

A metric called "tangle factor" is developed that measures how a set of first party websites may be interconnected or tangled with each other based on the common third parties used, and shows that different countries have different levels of interconnectedness, for example China has a lower tangle factor than the UK.

Automated discovery of privacy violations on the web

A critical look at how the API design process can be changed to prevent such misuse in the future is taken, and novel detection methods and results for persistent tracking techniques, including: device fingerprinting, cookie syncing, and cookie respawning are presented.

Hardening Firefox against Injection Attacks

This work studies common threats to discover common threats and explains how to address them systematically to harden Firefox.

References

SHOWING 1-10 OF 22 REFERENCES

Protecting Users by Confining JavaScript with COWL

COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backward-compatible with legacy web content and allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple mutually distrusting origins, all while protecting users' privacy.

UCognito: Private Browsing without Tears

A technical approach to identify browser traces left behind by a private browsing session, and a new and general approach to implement private browsing, called Ucognito, which is implemented on Linux and stops all known privacy leaks identified by prior work and this study.

Private Browsing Mode Not Really That Private: Dealing with Privacy Breach Caused by Browser Extensions

  • Bin ZhaoPeng Liu
  • Computer Science
    2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
  • 2015
This paper proposes an approach to comprehensively identify and stop privacy breaches under PBM caused by browser extensions, primarily based on run-time behavior tracking that combines dynamic analysis and symbolic execution to represent extensions' behavior to identify privacy breaches in PBM.

Cookies That Give You Away: The Surveillance Implications of Web Tracking

It is shown that foreign users are highly vulnerable to the NSA's dragnet surveillance due to the concentration of third-party trackers in the U.S. Using measurement units in various locations, this work introduces a methodology that combines web measurement and network measurement.

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

A novel technique called principal-based tainting is developed that allows us to perform dynamic analysis of JavaScript execution with lowered performance overhead, and shows that privacy attacks are more prevalent and serious than previously known.

The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

The evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls --- such as failing to clear state on multiple browsers at once - in which a single lapse in judgement can shatter privacy defenses.

HTTP State Management Mechanism

This document defines the HTTP Cookie and Set-Cookie headers. These headers can be used by HTTP servers to store state on HTTP user agents, letting the servers maintain a stateful session over the

Tracking the Trackers

This paper proposes a novel approach, based on the concepts leveraged from $k$-Anonymity, in which users collectively identify unsafe data elements, which have the potential to identify uniquely an individual user, and remove them from requests.

The Web Origin Concept

This document defines how to compute an origin from a URI, how to serialize an origin to a string, and an HTTP header, named "Origin", for indicating which origin caused the user agent to issue a particular HTTP request.

XRay: Enhancing the Web's Transparency with Differential Correlation

XRay is developed, the first fine-grained, robust, and scalable personal data tracking system for the Web, which achieves high precision and recall by correlating data from a surprisingly small number of extra accounts.