| Title | On the Content Security Policy Violations Due to the Same-Origin Policy |
| Publication Type | Conference Paper |
| Year of Publication | 2017 |
| Authors | Some, Dolière Francis, Bielova, Nataliia, Rezk, Tamara |
| Conference Name | Proceedings of the 26th International Conference on World Wide Web |
| Publisher | International World Wide Web Conferences Steering Committee |
| Conference Location | Republic and Canton of Geneva, Switzerland |
| ISBN Number | 978-1-4503-4913-0 |
| Keywords | Collaboration, content security policy, policy, policy-based governance, pubcrawl, same origin policy, Security and Privacy, Web Application Security |
| Abstract | Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations. |
| URL | https://doi.org/10.1145/3038912.3052634 |
| DOI | 10.1145/3038912.3052634 |
| Citation Key | some_content_2017 |
On the Content Security Policy Violations Due to the Same-Origin Policy