On the Content Security Policy Violations due to the Same-Origin Policy - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2017

On the Content Security Policy Violations due to the Same-Origin Policy

Dolière Francis Somé
  • Fonction : Auteur
  • PersonId : 1023856
Nataliia Bielova
Tamara Rezk
  • Fonction : Auteur
  • PersonId : 949476

Résumé

Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in sr-cdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.
Fichier principal
Vignette du fichier
p877.pdf (1.41 Mo) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-01649526 , version 1 (27-11-2017)

Identifiants

Citer

Dolière Francis Somé, Nataliia Bielova, Tamara Rezk. On the Content Security Policy Violations due to the Same-Origin Policy. WWW 2017 - 26th International Conference on World Wide Web , Apr 2017, Perth, Australia. pp.877-886, ⟨10.1145/3038912.3052634⟩. ⟨hal-01649526⟩
134 Consultations
161 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More