Extending the Same Origin Policy with Origin Attributes

Tanvi Vyas, Andrea Marchesini, Christoph Kerschbaumer

Abstract

: The Same Origin Policy (SOP) builds the foundation of the current web security model. As the web evolves, numerous new specifications propose extensions to the SOP in order to improve site security or improve user privacy. Site operators benefit from an extension to the SOP because it allows sites to partition their physical origin space into many different contexts, each representing their own abstract origin. Users benefit from an extension to the SOP because it allows users to separate user data for privacy purposes and enables richer browsing experiences. Implementing any of these new features requires tremendous engineering effort for browser vendors and entails the risk of introducing new privacy concerning vulnerabilities for end users. Instead of spending considerable engineering effort to patch the browser for every new specification that proposes to extend the SOP, we re-design a web browsers architecture and build Origin Attributes directly into a browsers rendering engine. Our implementation allows any specification or web technology to integrate into Origin Attributes with minimal engineering effort and reduces the risk of jeopardizing an end user’s security or privacy.

References

  1. Acar, G., Eubank, C., , Englehardt, S., Juarez, M., Narayanan, A., and Diaz, C. (2014). The Web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the Conference on Computer and Communications Security. ACM.
  2. Barth, A. (2011). HTTP State Management Mechanism. https://tools.ietf.org/html/rfc6265. (checked: October, 2016).
  3. Barth, A., Jackson, C., and Hickson, I. (2009). The Web Origin Concept. https://tools.ietf.org/html/draft-abarthorigin-06. (checked: October, 2016).
  4. Datta, A., Carl, M., Tschantz, C., and Datta, A. (2015). Automated Experiments on Ad Privacy Settings - A Tale of Opacity, Choice, and Discrimination. In Proceedings on Privacy Enhancing Technologies. USENIX Association.
  5. Englehardt, S. and Narayanan, A. (2016). Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the Conference on Computer and Communications Security. ACM.
  6. Englehardt, S., Reisman, D., Eubank, C., Zimmerman, P., Mayer, J., Narayanan, A., and Felten, E. W. (2015). Cookies That Give You Away: The Surveillance Implications of Web Tracking. In World Wide Web Conference. ACM.
  7. Google (2012). Safe Browsing. https://developers. google.com/safe-browsing/. (checked: October, 2016).
  8. Jackson, C. and Barth, A. (2008). Beware of finergrained origins. http://www.adambarth.com/papers/ 2008/jackson-barth-b.pdf. (checked: October, 2016).
  9. Lécuyer, M., Ducoffe, G., Lan, F., Papancea, A., Petsios, T., Spahn, R., Chaintreau, A., and Geambasu, R. (2014). XRay: Enhancing the Web's Transparency with Differential Correlation. In Proceedings of the USENIX Security Symposium. USENIX Association.
  10. Lerner, A., Simpson, A. K., Kohno, T., and Roesner, F. (2016). Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium. USENIX Association.
  11. Libert, T. (2015). Exposing the Hidden Web: An Analysis of Third-Party HTTP Requests on One Million Websites. International Journal of Communication.
  12. Mozilla (2009). Private Browsing. https://support.mozilla. org/en-US/kb/private-browsing-use-firefox-withouthistory. (checked: October, 2016).
  13. Mozilla (2016). Firefox Containers. https://wiki.mozilla.org/ Security/Contextual Identity Project/Containers. (checked: October, 2016).
  14. Perry, M., Clark, E., and Murdoch, S. (2016). Cross-Origin Identifier Unlinkability. https://www.torproject. org/projects/torbrowser/design/#identifier-linkability. (checked: October, 2016).
  15. Stark, E., West, M., and Weinberger, J. (2016). IsolateMe. https://wicg.github.io/isolation/explainer.html. (checked: October, 2016).
  16. Stefan, D., Yang, E. Z., Marchenko, P., Russo, A., Herman, D., Karp, B., and Mazieres, D. (2014). Protecting users by confining JavaScript with COWL. InProceedings of the USENIX Symposium on Operating Systems Design and Implementation.
  17. The Tor Project (2012). Tor (anonymity network). https://www.torproject.org/. (checked: October, 2016).
  18. Tran, M., Dong, X., Liang, Z., and Jiang, X. (2012). Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations. In Applied Cryptography and Network Security. Springer.
  19. Weinberger, J. and Akhawe, D. (2016). Suborigins. https://w3c.github.io/webappsec-suborigins/. (checked: October, 2016).
  20. Xu, M., Jang, Y., Xing, X., Kim, T., and Lee, W. (2015). UCognito: Private Browsing Without Tears. In Proceedings of the Conference on Computer and Communications Security. ACM.
  21. Yu, Z., Macbeth, S., Modi, K., and Pujol, J. M. (2016). Tracking the Trackers. In International Conference on World Wide Web.
  22. Zhao, B. and Liu, P. (2015). Private Browsing Mode Not Really That Private: Dealing with Privacy Breach Caused by Browser Extensions. In International Conference on Dependable Systems and Networks. IEEE.
Download


Paper Citation


in Harvard Style

Vyas T., Marchesini A. and Kerschbaumer C. (2017). Extending the Same Origin Policy with Origin Attributes . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 464-473. DOI: 10.5220/0006210404640473


in Bibtex Style

@conference{icissp17,
author={Tanvi Vyas and Andrea Marchesini and Christoph Kerschbaumer},
title={Extending the Same Origin Policy with Origin Attributes},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={464-473},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006210404640473},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Extending the Same Origin Policy with Origin Attributes
SN - 978-989-758-209-7
AU - Vyas T.
AU - Marchesini A.
AU - Kerschbaumer C.
PY - 2017
SP - 464
EP - 473
DO - 10.5220/0006210404640473