CISPA
Browse
cispa_all_3214.pdf (425.02 kB)

Reining in the Web's Inconsistencies with Site Policy

Download (425.02 kB)
conference contribution
posted on 2023-11-29, 18:15 authored by Stefano Calzavara, Tobias Urban, Dennis Tatang, Marius Steffens, Ben StockBen Stock
Over the years, browsers have adopted an ever-increasing number of client-enforced security policies deployed by means of HTTP headers. Such mechanisms are fundamental for web application security, and usually deployed on a per-page basis. This, however, enables inconsistencies, as different pages within the same security boundaries (in form of origins or sites) can express conflicting security requirements. In this paper, we formalize inconsistencies for cookie security attributes, CSP and HSTS, and then quantify the magnitude and impact of inconsistencies at scale by crawling 15,000 popular sites. We show numerous sites endanger their own security by omission or misconfiguration of the aforementioned mechanisms, which lead to unnecessary exposure to XSS, cookie theft and HSTS deactivation. We then use our data to analyse to which extent the recent Origin Policy proposal can fix the problem of inconsistencies. Unfortunately, we conclude that the current Origin Policy design suffers from major shortcomings which limit its practical applicability to address security inconsistencies, while catering to the need of real-world sites. Based on these insights, we propose Site Policy, designed to overcome Origin Policy’s shortcomings and make any insecurity explicit. We make a prototype implementation of Site Policy publicly available, along with a support toolchain for initial policy generation, security analysis, and test deployment.

History

Preferred Citation

Stefano Calzavara, Tobias Urban, Dennis Tatang, Marius Steffens and Ben Stock. Reining in the Web's Inconsistencies with Site Policy. In: Network and Distributed System Security Symposium (NDSS). 2021.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Legacy Posted Date

2020-09-15

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3214, title = "Reining in the Web's Inconsistencies with Site Policy", author = "Calzavara, Stefano and Urban, Tobias and Tatang, Dennis and Steffens, Marius and Stock, Ben", booktitle="{Network and Distributed System Security Symposium (NDSS)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC