Skip to main content
We gratefully acknowledge support from the Simons Foundation, member institutions, and all contributors. Donate
arXiv logo
Cornell University Logo

Computer Science > Cryptography and Security

arXiv:1611.02875 (cs)
[Submitted on 9 Nov 2016 (v1), last revised 22 Mar 2017 (this version, v2)]

Title:On the Content Security Policy Violations due to the Same-Origin Policy

Authors:Dolière Francis Somé, Nataliia Bielova, Tamara Rezk
View PDF
Abstract:Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.
Comments: 8 pages + references for the short version, extended to 19 pages for detailed appendices
Subjects: Cryptography and Security (cs.CR)
Cite as: arXiv:1611.02875 [cs.CR]
  (or arXiv:1611.02875v2 [cs.CR] for this version)
  https://doi.org/10.48550/arXiv.1611.02875
Related DOI: https://doi.org/10.1145/3038912.3052634

Submission history

From: Dolière Francis Somé [view email]
[v1] Wed, 9 Nov 2016 10:12:13 UTC (908 KB)
[v2] Wed, 22 Mar 2017 13:41:25 UTC (1,128 KB)
Full-text links:

Access Paper:

  • View PDF
  • TeX Source
  • Other Formats
view license
Current browse context:
cs.CR
< prev   |   next >
new | recent | 2016-11
Change to browse by:
cs

References & Citations

DBLP - CS Bibliography

listing | bibtex
Dolière Francis Some
Dolière Francis Somé
Nataliia Bielova
Tamara Rezk
export BibTeX citation

Bookmark

BibSonomy logo Reddit logo

Bibliographic and Citation Tools

Bibliographic Explorer (What is the Explorer?)
Connected Papers (What is Connected Papers?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)

Code, Data and Media Associated with this Article

alphaXiv (What is alphaXiv?)
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Hugging Face (What is Huggingface?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)

Demos

Replicate (What is Replicate?)
Hugging Face Spaces (What is Spaces?)
TXYZ.AI (What is TXYZ.AI?)

Recommenders and Search Tools

Influence Flower (What are Influence Flowers?)
CORE Recommender (What is CORE?)

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.

Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)