Extending the Same Origin Policy with Origin Attributes

@inproceedings{Vyas2017ExtendingTS,
  title={Extending the Same Origin Policy with Origin Attributes},
  author={Tanvi Vyas and A. Marchesini and Christoph Kerschbaumer},
  booktitle={ICISSP},
  year={2017}
}
The Same Origin Policy (SOP) builds the foundation of the current web security model. [...] Key Method Instead of spending considerable engineering effort to patch the browser for every new specification that proposes to extend the SOP, we re-design a web browsers architecture and build Origin Attributes directly into a browsers rendering engine. Our implementation allows any specification or web technology to integrate into Origin Attributes with minimal engineering effort and reduces the risk of jeopardizing…Expand
Automated discovery of privacy violations on the web
TLDR
A critical look at how the API design process can be changed to prevent such misuse in the future is taken, and novel detection methods and results for persistent tracking techniques, including: device fingerprinting, cookie syncing, and cookie respawning are presented. Expand
Hardening Firefox against Injection Attacks
TLDR
This work studies common threats to discover common threats and explains how to address them systematically to harden Firefox. Expand
What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem
TLDR
A metric called "tangle factor" is developed that measures how a set of first party websites may be interconnected or tangled with each other based on the common third parties used, and shows that different countries have different levels of interconnectedness, for example China has a lower tangle factor than the UK. Expand

References

SHOWING 1-10 OF 22 REFERENCES
Protecting Users by Confining JavaScript with COWL
TLDR
COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backward-compatible with legacy web content and allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple mutually distrusting origins, all while protecting users' privacy. Expand
UCognito: Private Browsing without Tears
TLDR
A technical approach to identify browser traces left behind by a private browsing session, and a new and general approach to implement private browsing, called Ucognito, which is implemented on Linux and stops all known privacy leaks identified by prior work and this study. Expand
Private Browsing Mode Not Really That Private: Dealing with Privacy Breach Caused by Browser Extensions
  • Bin Zhao, Peng Liu
  • Computer Science
  • 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
  • 2015
TLDR
This paper proposes an approach to comprehensively identify and stop privacy breaches under PBM caused by browser extensions, primarily based on run-time behavior tracking that combines dynamic analysis and symbolic execution to represent extensions' behavior to identify privacy breaches in PBM. Expand
Cookies That Give You Away: The Surveillance Implications of Web Tracking
TLDR
It is shown that foreign users are highly vulnerable to the NSA's dragnet surveillance due to the concentration of third-party trackers in the U.S. Using measurement units in various locations, this work introduces a methodology that combines web measurement and network measurement. Expand
Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations
TLDR
A novel technique called principal-based tainting is developed that allows us to perform dynamic analysis of JavaScript execution with lowered performance overhead, and shows that privacy attacks are more prevalent and serious than previously known. Expand
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
TLDR
The evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls --- such as failing to clear state on multiple browsers at once - in which a single lapse in judgement can shatter privacy defenses. Expand
HTTP State Management Mechanism
This document defines the HTTP Cookie and Set-Cookie headers. These headers can be used by HTTP servers to store state on HTTP user agents, letting the servers maintain a stateful session over theExpand
Tracking the Trackers
TLDR
This paper proposes a novel approach, based on the concepts leveraged from $k$-Anonymity, in which users collectively identify unsafe data elements, which have the potential to identify uniquely an individual user, and remove them from requests. Expand
Exposing the Hidden Web: An Analysis of Third-Party HTTP Requests on 1 Million Websites
TLDR
It is revealed that a handful of U.S. companies receive the vast bulk of user data, and roughly 1 in 5 websites are potentially vulnerable to known National Security Agency spying techniques at the time of analysis. Expand
The Web Origin Concept
TLDR
This document defines how to compute an origin from a URI, how to serialize an origin to a string, and an HTTP header, named "Origin", for indicating which origin caused the user agent to issue a particular HTTP request. Expand
...
1
2
3
...