Click-jacking protection on the modern Web is commonly enforced via client-side security mechanisms for framing control, like the X-Frame-Options header (XFO) and Content Security Policy (CSP). Though these client-side security mechanisms are certainly useful and successful, delegating protection to web browsers opens room for inconsistencies in the security guarantees offered to users of different browsers. In particular, inconsistencies might arise due to the lack of support for CSP and the different implementations of the underspecified XFO header. In this paper, we formally study the problem of inconsistencies in framing control policies across different browsers and we implement an automated policy analyzer based on our theory, which we use to assess the state of click-jacking protection on the Web. Our analysis shows that 10% of the (distinct) framing control policies in the wild are inconsistent and most often do not provide any level of protection to at least one browser. We thus propose recommendations for web developers and browser vendors to mitigate this issue. Finally, we design and implement a server-side proxy to retrofit security in web applications.
History
Preferred Citation
Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Michael Backes and Ben Stock. A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web. In: Usenix Security Symposium (USENIX-Security). 2020.
Primary Research Area
Empirical and Behavioral Security
Secondary Research Area
Threat Detection and Defenses
Name of Conference
Usenix Security Symposium (USENIX-Security)
Legacy Posted Date
2020-02-27
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3033,
title = "A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web",
author = "Calzavara, Stefano and Roth, Sebastian and Rabitti, Alvise and Backes, Michael and Stock, Ben",
booktitle="{Usenix Security Symposium (USENIX-Security)}",
year="2020",
}