Skip to Main content Skip to Navigation
New interface
Conference papers

On the Content Security Policy Violations due to the Same-Origin Policy

Dolière Francis Somé 1 Nataliia Bielova 1 Tamara Rezk 1 
1 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in sr-cdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.
Document type :
Conference papers
Complete list of metadata

Cited literature [23 references]  Display  Hide  Download
Contributor : Dolière Francis Somé Connect in order to contact the contributor
Submitted on : Monday, November 27, 2017 - 3:49:47 PM
Last modification on : Saturday, June 25, 2022 - 11:28:36 PM


Files produced by the author(s)




Dolière Francis Somé, Nataliia Bielova, Tamara Rezk. On the Content Security Policy Violations due to the Same-Origin Policy. WWW 2017 - 26th International Conference on World Wide Web , Apr 2017, Perth, Australia. pp.877-886, ⟨10.1145/3038912.3052634⟩. ⟨hal-01649526⟩



Record views


Files downloads