,
, Evolution of CSP adoption among top 10,000 Alexa Sites between, 2016.
,
, Percentage of pages with CSP per site
, Differences in CSP directives for parent and iframe pages, p.48
, Differences in CSP directives for same-origin and relaxed origin pages, p.49
, , vol.87
, Performance overhead of deploying the monitor
, Overhead introduced by applying CSP to content
,
, Preventing trackers from combining in-context and cross-context tracking, vol.112
, A demo page displaying a Google Maps
, Testing 485 carefully selected extensions provides a very similar uniqueness result to testing all 16,743 extensions
, The script detects an icon of Adblock extension and concludes that Adblock is installed. Then the script detects that the user is logged into Facebook when it successfully loads Facebook favicon.ico. It also detects that the user is logged into LinkdedIn through a CSP violation, Detection of browser extensions and Web logins. A user visits a benign website test.com which embeds third party code (the attacker' script) from attacker.com
, Evolution of detected extensions in Chrome
, 127 7.5 Distribution of anonymity set sizes for 16,393 users based on detected extensions and logins
, Four final datasets. D Ext contains users, who have installed at least one detected extension and D Log contains users, who have at least one login detected
, Anonymity sets for different datasets
, Anonymity sets for users with respect to the number of detected extensions 130
, 131 7.10 Comparison of fingerprint pattern size (targeted) and the total number of detected attributes (detected) for unique users
, Anonymity sets for different numbers of attributes tested by general fingerprinting algorithm
, 136 7.13 Uniqueness of Chrome users based on their extensions only vs. number of users-204 is the number of users used in
, Browser extensions architecture-Communications with web applications, p.149
, , p.152
, 156 8.4 A.com forces an attack by opening B.com thereby allowing A.com/content to load, execute and interact with extensions in order to exfiltrate user data to A
, CORS requests workflow in presence of an extension with the capability to intercept and manipulate HTTP headers
, Distribution of users of extensions with the capability to tamper with CORS headers
, Distribution of users of extensions manipulating CORS headers, p.182
, Categories of extensions manipulating CORS headers, p.183
, Breaking legitimate CORS requests by adding multiple values to the Access-Control-Allow-Origin header
, Breaking legitimate CORS requests with credentials by changing Access-Control-Allow-Origin to *
, 2 CORS headers exchanges between web browsers and servers. In many cases, there is a one-to-one correspondence between the requests and responses headers. The browser sends a header, and the server uses its dual to authorize or reject cross-origin requests, HTTP headers (excerpt) exchanged between the browser (client) and the server for
, Excerpt of CSP directives and their descriptions
, Statistics CSP violations due to Same-Origin Policy, vol.46
, Sample of sites with CSP violations due to Same-Origin Policy, p.46
, Potential CSP violations in pages with CSP
, 60 4.3 Formalization of Dependency-Free Policies (DF-CSP) considering CSP1, CSP2 and CSP3 versions and their implementations in browsers, p.62
, 66 4.5 Dependencies and rewriting rules considering only CSP2 and CSP3 and their implementations in browsers
, Dependencies and rewriting rules for CSP2 and CSP3, according to the specifications. We consider only browsers which implementations are compliant with the specifications
, Dependencies in the wild, considering CSP1, CSP2, CSP3 and their implementations in browsers
, Matching arguments in an origin against arguments in a URL, p.89
, Injecting dynamic third party content
, 124 7.2 Previous studies on measuring uniqueness based on browser extensions and our estimation of uniqueness
, Top seven most popular extensions in our dataset and their popularity on Chrome Web Store, vol.126
, Top seven most popular logins in our dataset and their ranking according to Alexa
,
,
, Data collection and analysis results overview
, Most requested permissions among Chrome, Firefox and Opera extensions, p.179
, Top 3 most popular categories among extensions with the ability to manipulate HTTP headers
, Sources (origins of webpages) and targets (web applications servers) of CORS requests allowed by extensions. The table reads from row to column, p.182
, 6 Extensions breaking the Same Origin Policy-Types of authorized CORS requests
, Breaking web applications, because of a harsh modification of CORS headers by extensions
, Extensions with the same code base which gives *.fliptab.io access to browsing history (get/delete), bookmarks (get), extensions (get/enable/disable/uninstall) and storage
, Extensions with the same code base for triggering downloads from vk.com, *.vimeo.com, *.coub.com, *.kinopoisk
, Extensions with the same code base which leaks topsites, history and/or bookmarks to *.atavi.com, *.atavi.test
, A.5 Extensions which give access to their storage to any application
, A.7 Chrome, Firefox and Opera extensions that can be exploited by web applications access privileged APIs and sensitive user information, 0200.
, Firefox and Opera extensions that can be exploited by web applications access privileged APIs and sensitive user information, p.201
, Firefox and Opera extensions that can be exploited by web applications access privileged APIs and sensitive user information, p.202
, Firefox and Opera extensions that can be exploited by web applications access privileged APIs and sensitive user information, p.203
, Firefox and Opera extensions that can be exploited by web applications access privileged APIs and sensitive user information, p.204
, Firefox and Opera extensions that can be exploited by web applications access privileged APIs and sensitive user information, 205 List of tools and websites
, A Monitor to Complement Content Security Policy (CSP) Expressiveness
, Analyze Message Passing APIs in Browser extensions components
, CORSER-Cross-browser extension for tampering with HTTP CORS headers
, Deploying Server-Side Tracking Protection Architecture
, Webstats-Various statistics about top 10,000 Alexa sites
, Hypertext Transfer Protocol
, A comprehensive tutorial on cross-site scripting
, Abstract Syntax Tree
, Ads-Browse Safe
,
,
, Application programming interface
, ASP.NET Web Framework
,
, Boomerang for Gmail-Chrome Extension
,
, Bug 1372288-webextensions uuid can be used as user fingerprint
, Can I use Content Security Policy, vol.1, issue.0
,
, Chrome-Publish in the Chrome Web Store
, Chrome Extensions API
, Chrome Extensions API-Content scripts and Content Security Policy
, Chrome Platform Status
, Chrome WebRequest API
, Content Security Policy (CSP)-Chrome Extensions
,
, CORS protocol-Fetch Specification
,
, Cross-origin-resource sharing
,
, CSP violations online
, CSS Parser for Node
, , vol.46
, Internationalization API Specification (ECMA-402, 2017.
,
,
, Firefox Add-ons
,
,
,
,
,
, Manifest-Web Accessible Resources
, Manifest File Format
,
,
, To watch television-Firefox Extension
, HD Wallpapers from fliptab
, HTML Parser for Node
,
, HTML5 Specification-W3C
, HTTP Commander-Chrome Extension
,
,
,
,
, JavaScript Object Property Access-Dot and Array Notation
, JavaScript/Reference/Global_Objects/Proxy
,
,
, LinkedIn Sales NavigatorChrome Extension
, Man-in-the-middle attack
,
, Message Passing-Google Chrome Extensions
,
, Microsoft Internet Information Services (IIS
, MIME types
,
,
,
,
,
,
,
, Opera-Passing Messages in Extensions
, Opera Add-ons
, Opera Extensions API
,
, PHP: Hypertext Preprocessor
, PostMessage-Cross-Origin Iframe Secure Communication
, Publishing Guidelines-Opera Extensions
, Python Programming Language
,
, Same Origin Policy
, Secure Hash Algorithms
, Server Side Access Control (CORS
,
, Session Hijacking Attack
, SlimerJS-A scriptable browser for Web developers
, Space Galaxy HD Wallpapers-Chrome Extension
,
, Telerik Test Studio Chrome Playback, vol.1, 2014.
, The Basics of Browser Helper Objects
, The OWASP Top Ten Project
,
, Tracking Compliance and Scope
, Tracking Preference Expression
,
,
, User-Agent Switcher-Firefox Extensions
, User-Agent Switcher for Chrome-Chrome Extension
,
, Using Service Workers
, VisualSP Training for Office 365-Chrome Extension
, Webstats-Various statistics about top 10,000 Alexa sites
,
,
,
,
, European Commision Law on Cookies, 2012.
, Webstats-Use of Content Security Policy and Cookies in top 10,000 Alexa sites, 2016.
, XSS-FP: browser fingerprinting using HTML parser quirks, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00753926
, The web never forgets: Persistent tracking mechanisms in the wild, Proc. of CCS, 2014.
, FPDetective: dusting the web for fingerprinters, Proc. of CCS, 2013.
, On the unicity of smartphone applications, 2015.
, Mytrackingchoices: Pacifying the ad-block war by enforcing user privacy preferences, 2016.
, Data Exfiltration in the Face of CSP, Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp.853-864, 2016.
, Detect if visitors are logged into twitter, 2012.
, VEX: vetting browser extensions for security vulnerabilities, 19th USENIX Security Symposium, pp.339-354, 2010.
DOI : 10.1145/1995376.1995398
, Proceedings of the 26th International Conference on World Wide Web, 2017.
, Protecting browsers from extension vulnerabilities, Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, 2010.
, User tracking on the web via cross-browser fingerprinting, Proc. of the 16th NordSec, pp.31-46, 2011.
DOI : 10.1007/978-3-642-29615-4_4
, Engineering Secure Software and Systems-9th International Symposium, vol.10379, 2017.
, Dirty browser enumeration tricks-using chrome:// and about: to detect firefox and addons, 2014.
, Finegrained detection of privilege escalation attacks on browser extensions, Programming Languages and Systems-24th European Symposium on Programming, ESOP 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, vol.9032, pp.510-534, 2015.
DOI : 10.1007/978-3-662-46669-8_21
, Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild, vol.268, pp.1365-1375
, CCSP: controlled relaxation of content security policies by runtime policy composition, Kirda and Ristenpart, vol.215, pp.695-712
, Semantics-based analysis of content security policy deployment, ACM Trans. Web, vol.12, issue.2, 2017.
DOI : 10.1145/3149408
, cross-)browser fingerprinting via os and hardware level features, Proc. of the 24th NDSS, 2017.
DOI : 10.14722/ndss.2017.23152
, An evaluation of the google chrome extension security architecture, Proceedings of the 21th USENIX Security Symposium, pp.97-111, 2012.
, The evolution of chrome extensions detection, 2013.
, Unique in the crowd: The privacy bounds of human mobility, Scientific Reports, vol.3, p.1376, 2013.
, deDacota: toward preventing server-side XSS via automatic code and data separation, 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, pp.1205-1216, 2013.
, How Unique Is Your Web Browser?, Proc. of the 2010 PETS
DOI : 10.1007/978-3-642-14527-8_1
URL : http://www.freehaven.net/anonbib/cache/pets2010:eckersley2010unique.pdf
, Heng Yin, and Dawn Xiaodong Song. Dynamic spyware analysis, Proceedings of the 2007 USENIX Annual Technical Conference, pp.233-246, 2007.
, Novel techniques for user deanonymization attacks, 2016.
, Online tracking: A 1-million-site measurement and analysis, Proc. of the 2016 CCS, pp.1388-1401, 2016.
, Cookies that give you away: The surveillance implications of web tracking, Proc. of the 24th WWW, pp.289-299, 2015.
DOI : 10.1145/2736277.2741679
, Webbiometrics: User verification via web interaction, Biometrics Symposium, pp.1-6, 2007.
DOI : 10.1109/bcc.2007.4430552
, Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale, Proceedings of the 2018 World Wide Web Conference on World Wide Web, pp.309-318, 2018.
, Client-and Server-Side Security Technologies for JavaScript Web Applications ; Beveiligingstechnologiën voor webapplicaties in JavaScript, 2016.
, I know what you've got, 2006.
, Login detection, whose problem is it?, 2008.
, Verified security for browser extensions, 32nd IEEE Symposium on Security and Privacy, pp.115-130, 2011.
DOI : 10.1109/sp.2011.36
URL : http://research.microsoft.com/users/livshits/papers%5Cpdf%5Cibex11.pdf
, Code repository for paper titled 'near-optimal fingerprinting with constraints, 2016.
, Near-optimal fingerprinting with constraints, Proceedings on Privacy Enhancing Technologies, vol.2016, pp.470-487, 2016.
, To extend or not to extend: on the uniqueness of browser extensions and web logins, To appear in the Proceedings of the 2018 ACM on Workshop on Privacy in the Electronic Society, 2018.
, Modern and flexible browser fingerprinting library
, May I?-Content Security Policy Endorsement for Browser Extensions, Detection of Intrusions and Malware, and Vulnerability Assessment-12th International Conference, DIMVA 2015, vol.9148, pp.261-281, 2015.
DOI : 10.1007/978-3-319-20550-2_14
URL : http://www.cse.chalmers.se/%7Eandrei/dimva15.pdf
, Uniquely me! how much information does it take to single out one person among billions?, vol.102, pp.106-109, 2014.
, The most dangerous code in the browser, 15th Workshop on Hot Topics in Operating Systems, HotOS XV, Kartause Ittingen, 2015.
, HTML5. A vocabulary and associated APIs for HTML and XHTML. W3C Recommendation, 2014.
, ECMAScript Parsing Infrastructure
, PhantomJS Headless Browser, pp.2010-2016
, Using content-security-policy for evil, 2014.
, Profilejacking-legal tricks to detect user profile, 2015.
, Beware of Finer-Grained Origins, Web 2.0 Security and Privacy, 2008.
DOI : 10.1007/978-1-349-13729-9_23
, An Automated Recommendation of Content Security Policy for Web Applications, IEEE Oakland Web 2.0 Security and Privacy (W2SP'12), 2012.
, Remedying the eval that men do, International Symposium on Software Testing and Analysis, vol.2012, pp.34-44, 2012.
, Preparedjs: Secure script-templates for javascript, pp.102-121
DOI : 10.1007/978-3-642-39235-1_6
, Script-templates for the content security policy, J. Inf. Sec. Appl, vol.19, issue.3, pp.209-223, 2014.
DOI : 10.1016/j.jisa.2014.03.007
, Hulk: Eliciting malicious behavior in browser extensions, Proceedings of the 23rd USENIX Security Symposium, pp.641-654, 2014.
, Injecting CSP for Fun and Security, Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pp.15-25, 2016.
DOI : 10.5220/0005650100150025
URL : http://research.sidstamm.com/papers/csp_icissp_2016.pdf
, USENIX Association, 26th USENIX Security Symposium, 2017.
, Intro to chrome addons hacking: fingerprinting, 2012.
, Privacy diffusion on the web: a longitudinal perspective, Proc. of the 18th WWW, pp.541-550, 2009.
DOI : 10.1145/1526709.1526782
, Browser Fingerprinting: Exploring Device Diversity to Augment Authentication and Build Client-Side Countermeasures. (Empreinte digitale d'appareil: exploration de la diversité des terminaux modernes pour renforcer l'authentification en ligne et construire descontremesures côté client), INSA Rennes, 2017.
, Fprandom: Randomizing core browser objects to break advanced device fingerprinting techniques, vol.174, pp.97-114
DOI : 10.1007/978-3-319-62105-0_7
URL : https://hal.archives-ouvertes.fr/hal-01527580
, Mitigating browser fingerprint tracking: Multi-level reconfiguration and diversification, 10th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems, pp.98-108, 2015.
DOI : 10.1109/seams.2015.18
URL : https://hal.archives-ouvertes.fr/hal-01121108
, Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints, IEEE Symposium on Security and Privacy, vol.2016, pp.878-894, 2016.
DOI : 10.1109/sp.2016.57
URL : https://hal.archives-ouvertes.fr/hal-01285470
, Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to, Proc. of the 25th USENIX Security, 2016.
, Your social media fingerprint, 2016.
, Extensible web browser security, Detection of Intrusions and Malware, and Vulnerability Assessment, 4th International Conference, vol.4579, pp.1-19, 2007.
, Third-party web tracking: Policy and technology, Proc. of the 2012 IEEE SP, pp.413-427, 2012.
DOI : 10.1109/sp.2012.47
URL : https://cyberlaw.stanford.edu/files/publication/files/trackingsurvey12.pdf
, Block me if you can: A large-scale study of tracker-blocking tools, Proc. of the 2nd EuroSP, 2017.
, Pixel perfect: Fingerprinting canvas in HTML5, Proceedings of W2SP 2012, 2012.
, JavaScript Syntax Tree Transformer
, You are what you include: large-scale evaluation of remote javascript inclusions, Proc. of the 2012 CCS, pp.736-747, 2012.
, Cookieless monster: Exploring the ecosystem of webbased device fingerprinting, 2013 IEEE Symposium on Security and Privacy, pp.541-555, 2013.
, Why johnny can't browse in peace: On the uniqueness of web browsing history patterns, Hot Topics in Privacy Enhancing Technologies, pp.7-2012, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00747841
, Securing legacy firefox extensions with SENTINEL, vol.241, pp.122-138
DOI : 10.1007/978-3-642-39235-1_7
URL : http://repository.bilkent.edu.tr/bitstream/11693/27988/1/Securing%20legacy%20firefox%20extensions%20with%20SENTINEL.pdf
, SENTINEL: securing legacy firefox extensions, Computers & Security, vol.49, pp.147-161, 2015.
DOI : 10.1016/j.cose.2014.12.002
URL : http://seclab.ccs.neu.edu/static/publications/cs2015sentinel.pdf
, I do not know what you visited last summer: Protecting users from stateful third-party web tracking with trackingfree browser, Proc. of the 22nd NDSS, 2015.
DOI : 10.14722/ndss.2015.23163
, CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites, vol.268, pp.653-665
, A Measurement Study of the Content Security Policy on Real-World Applications. I. J. Network Security, vol.18, issue.2, pp.383-392, 2016.
, Firefox will stop supporting plugins by end of 2016, following chrome's lead
, CasperJS navigation and scripting tool for PhantomJS, pp.2011-2016
, User re-authentication via mouse movements, ACM Workshop Visualizat. Data Mining Comput. Security, pp.1-8, 2004.
DOI : 10.1145/1029208.1029210
, The eval that men do-A large-scale study of the use of eval in javascript applications, ECOOP 2011-Object-Oriented Programming-25th European Conference, vol.6813, pp.52-78, 2011.
, Detection of Intrusions and Malware, and Vulnerability Assessment-10th International Conference, DIMVA 2013, vol.7967, 2013.
, Detecting and defending against third-party tracking on the web, Proc. of the 9th NSDI, pp.155-168, 2012.
, On continuous user authentication via typing behavior, vol.23, pp.4611-4624, 2014.
DOI : 10.1109/tip.2014.2348802
, Busting frame busting: a study of clickjacking vulnerabilities at popular sites, IEEE Oakland Web 2.0 Security and Privacy, 2010.
, Extension breakdown: Security analysis of browsers extension resources control policies, Kirda and Ristenpart, vol.215, pp.679-694
, Canvas DefendeSaying Goodbye to Our Old Friend NPAPI, 2013.
, Hop.js-Multi-tier JavaScript
URL : https://hal.archives-ouvertes.fr/hal-00498507
, On the Incoherencies in Web Browser Access Control Policies, 31st IEEE Symposium on Security and Privacy, vol.2010, pp.463-478, 2010.
, Discovering browser extensions via web accessible resources, Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp.329-336, 2017.
, Flash Cookies and Privacy, AAAI spring symposium: intelligent information privacy management, pp.158-163, 2010.
, Breaking the Same Origin Policy for free-On CORS headers manipulations by browser extensions
, EmPoWeb: Empowering web applications with browser extensions
, On the Content Security Policy violations due to the Same-Origin Policy
, Control what you include!-server-side protection against third party web tracking, vol.174, pp.115-132
, On the content security policy violations due to the same-origin policy, vol.171, pp.877-886
, DF-CSP: Dependency-Free Content Security Policy
, Extending Content Security Policy: Blacklisting, URL arguments filtering and Monitoring
, Reining in the web with content security policy, Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp.921-930, 2010.
, Extended tracking powers: Measuring the privacy diffusion enabled by browser extensions, vol.171, pp.1481-1490
, XHOUND: quantifying the fingerprintability of browser extensions, 2017 IEEE Symposium on Security and Privacy, pp.941-956, 2017.
, Content Security Policy 1.0. W3C Candidate Recommendation, 2012.
, Gradual typing embedded securely in JavaScript, The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '14, pp.425-438, 2014.
URL : https://hal.archives-ouvertes.fr/hal-00940836
, Web browser fingerprinting using only cascading style sheets, Proc. of the 10th BWCCA, pp.57-63, 2015.
, A classification of web browser fingerprinting techniques, Proc. of the 7th NTMS, pp.1-5, 2015.
, Cross Origin Resource Sharing. W3C Recommendation, 2014.
, FPSTALKER: tracking browser fingerprint evolutions, 2018 IEEE Symposium on Security and Privacy, pp.728-741, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01652021
, CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, vol.268, pp.1376-1387
, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016.
, Why Is CSP Failing? Trends and Challenges in CSP Adoption, Research in Attacks, Intrusions and Defenses-17th International Symposium, pp.212-233, 2014.
, Ex-ray: Detection of history-leaking browser extensions, Proceedings of the 33rd Annual Computer Security Applications Conference, pp.590-602, 2017.
, Content Security Policy: Embedded Enforcement, 2016.
, Content Security Policy Level 3. W3C Working Draft, 2016.
, Mixed Content, 2016.
, Origin Policy. A Collection of Interesting Ideas, 2016.
, Content Security Policy Level 2. W3C Candidate Recommendation, 2015.
, Feature Policy. W3C Draft Community Group Report, 2016.
, CRX Extension Source Viewer For Chrome
, Mitigating Cross-Site Scripting Attacks with a Content Security Policy, IEEE Computer, vol.49, issue.3, pp.56-63, 2016.
, Keystroke dynamics for user authentication, 2012 IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops, pp.117-123, 2012.