Sa­me-Ori­gin Po­li­cy: Eva­lua­ti­on in Mo­dern Brow­sers

Jörg Schwenk, Mar­cus Nie­mietz, Chris­ti­an Main­ka

26th USE­NIX Se­cu­ri­ty Sym­po­si­um (USE­NIX Se­cu­ri­ty 17)


Ab­stract

The term Sa­me-Ori­gin Po­li­cy (SOP) is used to de­no­te a com­plex set of rules which go­verns the in­ter­ac­tion of dif­fe­rent Web Orig­ins wi­t­hin a web ap­p­li­ca­ti­on. A sub­set of these SOP rules con­trols the in­ter­ac­tion bet­ween the host do­cu­ment and an em­bed­ded do­cu­ment, and this sub­set is the tar­get of our re­se­arch (SOP-DOM). In con­trast to other im­portant con­cepts like Web Orig­ins (RFC 6454) or the Do­cu­ment Ob­ject Model (DOM), there is no for­mal spe­ci­fi­ca­ti­on of the SOP-DOM.

In an em­pi­ri­cal study, we ran 544 dif­fe­rent test cases on each of the 10 major web brow­sers. We show that in ad­di­ti­on to Web Orig­ins, ac­cess rights gran­ted by SOP-DOM de­pend on at least three at­tri­bu­tes: the type of the em­bed­ding ele­ment (EE), the sand­box, and CORS at­tri­bu­tes. We also show that due to the lack of a for­mal spe­ci­fi­ca­ti­on, dif­fe­rent brow­ser be­ha­vi­ors could be de­tec­ted in ap­pro­xi­mate­ly 23% of our test cases. The is­su­es dis­co­ver­ed in In­ter­net Ex­plo­rer and Edge are also ack­now­ledged by Micro­soft (MSRC Case 32703). We di­s­cuss our fin­dings in terms of read, write, and exe­cu­te rights in dif­fe­rent ac­cess con­trol mo­dels.

[PDF]

Tags: brow­ser, Same Ori­gin Po­li­cy