On the Content Security Policy Violations due to the Same-Origin Policy

Dolière Francis Somé 1 Nataliia Bielova 1 Tamara Rezk 1
1 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in sr-cdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.
Document type :
Conference papers
Complete list of metadatas

Cited literature [23 references]  Display  Hide  Download

https://hal.inria.fr/hal-01649526
Contributor : Dolière Francis Somé <>
Submitted on : Monday, November 27, 2017 - 3:49:47 PM
Last modification on : Thursday, January 11, 2018 - 4:22:45 PM

File

p877.pdf
Files produced by the author(s)

Identifiers

Collections

Citation

Dolière Francis Somé, Nataliia Bielova, Tamara Rezk. On the Content Security Policy Violations due to the Same-Origin Policy. WWW 2017 - 26th International Conference on World Wide Web , Apr 2017, Perth, Australia. pp.877-886, ⟨10.1145/3038912.3052634⟩. ⟨hal-01649526⟩

Share

Metrics

Record views

213

Files downloads

152