(2020) A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web.
|
Text
main.pdf Download (491kB) | Preview |
Abstract
Click-jacking protection on the modern Web is commonly enforced via client-side security mechanisms for framing control, like the X-Frame-Options header (XFO) and Content Security Policy (CSP). Though these client-side security mechanisms are certainly useful and successful, delegating protection to web browsers opens room for inconsistencies in the security guarantees offered to users of different browsers. In particular, inconsistencies might arise due to the lack of support for CSP and the different implementations of the underspecified XFO header. In this paper, we formally study the problem of inconsistencies in framing control policies across different browsers and we implement an automated policy analyzer based on our theory, which we use to assess the state of click-jacking protection on the Web. Our analysis shows that 10% of the (distinct) framing control policies in the wild are inconsistent and most often do not provide any level of protection to at least one browser. We thus propose recommendations for web developers and browser vendors to mitigate this issue. Finally, we design and implement a server-side proxy to retrofit security in web applications.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Divisions: | Ben Stock (Secure Web Applications Group, SWAG) |
Conference: | USENIX-Security Usenix Security Symposium |
Depositing User: | Ben Stock |
Date Deposited: | 27 Feb 2020 14:22 |
Last Modified: | 27 Feb 2020 14:22 |
Primary Research Area: | NRA5: Empirical & Behavioral Security |
URI: | https://publications.cispa.saarland/id/eprint/3033 |
Actions
Actions (login required)
View Item |