State-of-the-art Survey of Research on Browser's Same-Origin Policy Security
Author:
Affiliation:

Clc Number:

Fund Project:

National Natural Science Foundation of China (61672062, 61232005)

  • Article
  • |
  • Figures
  • |
  • Metrics
  • |
  • Reference
  • |
  • Related
  • |
  • Cited by
  • |
  • Materials
  • |
  • Comments
    Abstract:

    With the popularity of cloud computing and mobile computing, browser applications show the characteristics of diversification and scale, and the browser security issues are increasingly prominent. To ensure the security of Web application resources, the browser's same-origin policy is proposed. Since then, the introduction of the same-origin policy in RFC6454, W3C and HTML5 standards has driven modern browsers (e.g., Chrome, Firefox, Safari, and Edge) to implement the same-origin policy as the basic access control policy. The same-origin policy, however, in practice, faces the problems including handling security threats introduced by the third-party scripts, limiting the permissions of same-origin frames, assigning more permissions for cross-origin frames when they collaborate with browser's other mechanisms. It also cannot guarantee the safety of cross-domain or cross-origin communication mechanisms and the security under memory attacks. This paper reviews the existing researches on browser's same-origin policy security. Firstly, this paper describes the same-origin policy rules, followed by summarizing the threat model for researches on same-origin policy and the research directions, including insufficient same-origin policy rules and defenses, attacks and defenses on cross-domain and cross-origin mechanisms, and same-origin policy security under memory attacks. Finally, this paper prospects the future research direction of browser's same-origin policy security.

    Reference
    Related
    Cited by
Get Citation

罗武,沈晴霓,吴中海,吴鹏飞,董春涛,夏玉堂.浏览器同源策略安全研究综述.软件学报,2021,32(8):2469-2504

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:April 26,2020
  • Revised:August 13,2020
  • Adopted:
  • Online: October 12,2020
  • Published: August 06,2021
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063