On the Content Security Policy Violations due to the Same-Origin Policy

Dolière Francis Somé 1 Nataliia Bielova 1 Tamara Rezk 1
1 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in sr-cdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.
Type de document :
Communication dans un congrès
WWW 2017 - 26th International Conference on World Wide Web , Apr 2017, Perth, Australia. ACM, pp.877-886, 2017, Proceedings of the 26th International Conference on World Wide Web. 〈10.1145/3038912.3052634〉
Liste complète des métadonnées

Littérature citée [23 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01649526
Contributeur : Dolière Francis Somé <>
Soumis le : lundi 27 novembre 2017 - 15:49:47
Dernière modification le : jeudi 11 janvier 2018 - 16:22:45

Fichier

p877.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Dolière Francis Somé, Nataliia Bielova, Tamara Rezk. On the Content Security Policy Violations due to the Same-Origin Policy. WWW 2017 - 26th International Conference on World Wide Web , Apr 2017, Perth, Australia. ACM, pp.877-886, 2017, Proceedings of the 26th International Conference on World Wide Web. 〈10.1145/3038912.3052634〉. 〈hal-01649526〉

Partager

Métriques

Consultations de la notice

141

Téléchargements de fichiers

54