CISPA
Browse
- No file added yet -

Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication

Download (668.91 kB)
conference contribution
posted on 2023-11-29, 18:15 authored by Gordon Meiser, Pierre Laperdrix, Ben StockBen Stock
In the past, Web applications were mostly static and most of the content was provided by the site itself. Nowadays, they have turned into rich client-side experiences customized for the user where third parties supply a considerable amount of content, e.g., analytics, advertisements, or integration with social media platforms and external services. By default, any exchange of data between documents is governed by the Same-Origin Policy, which only permits to exchange data with other documents sharing the same protocol, host, and port. Given the move to a more interconnected Web, standard bodies and browser vendors have added new mechanisms to enable cross-origin communication, primarily domain relaxation, postMessages, and CORS. While prior work has already shown the pitfalls of not using these mechanisms securely (e.g., omitting origin checks for incoming postMessages), we instead focus on the increased attack surface created by the trust that is necessarily put into the communication partners. To that end, we report on a study of the Tranco Top 5,000 to measure the prevalence of cross-origin communication. By analyzing the interactions between sites, we build an interconnected graph of the trust relations necessary to run the Web. Subsequently, based on this graph, we estimate the damage that can be caused through real-world exploitability of existing client-side XSS flaws.

History

Preferred Citation

Gordon Meiser, Pierre Laperdrix and Ben Stock. Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication. In: ACM ASIA Conference on Computer and Communications Security (AsiaCCS). 2021.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

ACM ASIA Conference on Computer and Communications Security (AsiaCCS)

Legacy Posted Date

2021-02-09

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3356, title = "Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication", author = "Meiser, Gordon and Laperdrix, Pierre and Stock, Ben", booktitle="{ACM ASIA Conference on Computer and Communications Security (AsiaCCS)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC