Cross-site leaks, also known as XS-leaks, are a class of attacks used to access a user's sensitive information on another website. It is a term found in internet security. Cross-site leaks allow an attacker to access a user's interactions with other websites. This can contain sensitive information. Web browsers normally stop other websites from seeing this information. This is enforced through a set of rules called the same-origin policy. Attackers can sometimes get around these rules, using a "cross-site leak". Attacks using a cross-site leak are often initiated by enticing users to visit the attacker's website. Upon visiting, the attacker uses malicious code on their website to interact with another website. This can be used by a attacker to learn about the user's previous actions on the other website. The information from this attack can uniquely identify the user to the attacker.

These attacks have been documented since 2000. One of the first research papers on the topic was published by researchers at Purdue University. The paper described an attack where the web cache was exploited to gather information about a website. Since then, cross-site leaks have become increasingly sophisticated. Researchers have found newer leaks targeting various web browser components. While the efficacy of some of these techniques varies, newer techniques are continually being discovered. Some older methods are blocked through updates to browser software. The introduction and removal of features on the Internet also lead to some attacks being rendered ineffective.

Cross-site leaks are a diverse form of attack, and there is no consistent classification of such attacks. Multiple sources classify cross-site leaks by the technique used to leak information. Among the well-known cross-site leaks are timing attacks, which depend on timing events within the web browser. Error events constitute another category, using the presence or absence of events to disclose data. Additionally, cache-timing attacks rely on the web cache to unveil information. Since 2023, newer attacks that use operating systems and web browser limits to leak information have also been found.

Before 2017, defending against cross-site leaks was considered to be difficult. This was because many of the information leakage issues exploited by cross-site leak attacks were inherent to the way websites worked. Most defences against this class of attacks have been introduced after 2017 in the form of extensions to the hypertext transfer protocol (HTTP). These extensions allow websites to instruct the browser to disallow or annotate certain kinds of stateful requests coming from other websites. One of the most successful approaches browsers have implemented is SameSite cookies. SameSite cookies allow websites to set a directive that prevents other websites from accessing and sending sensitive cookies. Another defences involves using HTTP headers to restrict which websites can embed a particular site. Cache partitioning also serves as a defence against cross-site leaks, preventing other websites from using the web cache to exfiltrate data.

Background

Further information: Same-origin policy

Web applications (web apps) have two primary components: a web browser and one or more web servers. The browser typically interacts with the servers via hyper text transfer protocol (HTTP) and WebSocket connections to deliver a web application.[note 1] Certain parts of the web application need to react to user input or other client-side logic; this is done by rendering HTML or CSS or by executing JavaScript as part of the process of delivering the website.[2] Often, these user interactions require the web app to make multiple requests to the server over extended periods. To keep track of such requests, web apps often use a persistent identifier tied to a specific user through their current session or user account.[3] This account or session will have certain identifiable attributes, such as age or access level, reflecting the user's previous interactions with the web app. If revealed to other websites, these identifiable attributes might deanonymize the user.[4]

In an ideal scenario, these user interactions and web server communications would be done so that no two web apps are allowed to interfere with each other. However, due to various design choices made during the early years of the web, web apps can regularly interact with each other.[5] To prevent the abuse of this behavior, web browsers have created a set of rules called the same-origin policy. The same-origin policy stipulates that only certain interactions between two web apps are allowed.[6][7] For example, the same-origin policy prevents a web app from arbitrarily reaching into another web app's execution context and interacting with it.[8] However, a web app can embed content from other web apps using frames or make requests to third-party sites via cross-origin requests.[9] Notably, however, the same-origin policy prevents other web apps from directly reading the contents of these cross-origin requests unless explicitly allowed through the cross-origin resource sharing (CORS) framework.[10]

Cross-site leaks allow attackers to obtain information despite the restrictions imposed by the same-origin policy. Cross-site leaks leverage information-leakage issues (side channels) that have historically been present in browsers. Using the leaks, an attacker can execute code to infer information about the current state of a different execution context via cross-origin requests or by embedding the victim web app in the attacking web app.[11] The attacker can then access information about a user's previous interactions with a web app.[12]

Mechanism

The threat model of a cross-site leak relies on the attacker being able to direct the victim to a malicious website that is at least partially under the attacker's control. The attacker can accomplish this by compromising a web page, by phishing the user to a web page and loading arbitrary code, or by using a malicious advertisement on an otherwise-safe web page.[13][14]

To carry out a cross-site leak attack, an attacker must first study how a website interacts with users. They need to identify a specific URL that produces different Hyper Text Transfer Protocol (HTTP) responses based on the user's past actions on the site.[15][16] For instance, if the attacker is trying to attack Gmail, they could try to find a search URL that returns an different HTTP response based on how many search results are found for a specific search term in a user's emails.[17] Once an attacker finds a specific URL, they can then host a website and phish or otherwise lure unsuspecting users to the website. Once the victim is on the attacker's website, the attacker can use various embedding techniques to initiate cross-origin HTTP requests to the URL identified by the attacker.[18] However, since the attacker is on a different website, the same-origin policy imposed by the web browser will prevent the attacker from directly reading any part of the response sent by the vulnerable website.[note 2][19]

To circumvent this security barrier, the attacker can use browser-leak methods, to distinguish subtle differences between different responses. Browser leak methods are JavaScript, CSS or HTML snippets that leverage long-standing information leakage issues (side channels) in the web browser to reveal specific characteristics about a HTTP response.[15][16] In the case of Gmail, the attacker could use JavaScript to time how long the browser took to parse the HTTP response returned by the search result. If the time taken to parse the response returned by the endpoint was low, the attacker could infer that there were no search results for their query. Alternatively, if the site took longer, the attacker could infer that multiple search results were returned.[17] The attacker can subsequently use the information gained through these information leakages to exfiltrate sensitive information, which can be used to track and deanonymize the victim.[18] In the case of Gmail, the attacker could make a request to the search endpoint with a query and subsequently measure the time the query took to figure out whether or not the user had any emails containing a specific query string.[note 3] If a response takes very little time to be processed, the attacker can assume that no search results were returned. Conversely, if a response takes a large amount amount of time to be processed, the attacker infer that a lot of search results were returned. By making multiple requests, an attacker could gain significant insight into the current state of the victim application, potentially revealing private information of a user, helping launch sophisticated spamming and phishing attacks.[20]

While every method of initiating a cross-origin request to a URL in a web page can be combined with every browser-leak method, this does not work in practice because dependencies exist between different inclusion methods and browser leaks. Some browser-leak methods require specific inclusion techniques to succeed.[21] For example, if the browser-leak method relies on checking CSS attributes such as the width and height of an element, the inclusion technique must use an HTML element with a width and height property, such as an image element, that changes when a cross-origin request returns an invalid or a differently sized image.[22][23]

Example

The example of a Python-based web application with a search endpoint interface implemented using the following Jinja template demonstrates a common scenario of how a cross-site leak attack could occur.[23]

<html lang="en">
<body>
<h2>Search results</h2>
   {% for result in results %}
   <div class="result">
      <img src="//cdn.com/result-icon.png" />
      {% result.description %}
   </div>
   {% endfor %}
</body>
</html>

This code is a template for displaying search results on a webpage. It loops through a collection of results provided by a HTTP server backend and displays each result along with its description inside a structured div element alongside a icon loaded from a different website. The underlying application authenticates the user based on cookies that are attached to the request and performs a textual search of the user's private information using a string provided in a GET parameter. For every result returned, an icon that is loaded from a Content Delivery Network (CDN) is shown alongside the result.[13][24]

This simple functionality is vulnerable to a cross-leak attack, as shown by the following JavaScript snippet.[13]

let icon_url = 'https://cdn.com/result-icon.png';
iframe.src = 'https://service.com/?q=password';
iframe.onload = async () => {
     const start = performance.now();
     await fetch(icon_url);
     const duration = performance.now() - start;
     if (duration < 5) // loaded resource from cache
         console.log('Query had results');
     else
         console.log('No results for query parameter');
};

This JavaScript snippet, which can be embedded in an attacker-controlled web app, loads the victim web app inside an iframe, waits for the document to load and subsequently requests the icon from the CDN. The attacker can determine whether the icon was cached by timing its return. Because the icon will only be cached if and only if the victim app returns at least one result, the attacker can determine whether the victim app returned any results for the given query.[23][24][25]

History

Cross-site leaks have been known about since 2000;[26] research papers dating from that year from Purdue University describe a theoretical attack that uses the HTTP cache to compromise the privacy of a user's browsing habits.[27] In 2007, Andrew Bortz and Dan Boneh from Stanford University published a white paper detailing an attack that made use of timing information to determine the size of cross-site responses.[28] In 2015, researchers from Bar-Ilan University described a cross-site search attack that used similar leaking methods but used a technique in which the input was crafted to grow the size of the responses, leading to a proportional growth in the time taken to generate the responses, thus increasing the attack's accuracy.[29]

Independent security researchers have published blog posts describing cross-site leak attacks against real-world applications. In 2009, Chris Evans described an attack against Yahoo! Mail via which a malicious site could search a user's inbox for sensitive information.[30] In 2018, Luan Herrara described a security exploit that allowed them to exfiltrate data about sensitive security issues using the search functionality of Google's Monorail bug tracker that is actively used by open-source projects such as the Chromium, Angle and Skia Graphics Engine.[31][32] In 2019, Terjanq, a Polish security researcher, published a blog post describing a cross-site search attack that allowed them to exfiltrate sensitive user information across high-profile Google products.[11][25]

As part of its increased focus on dealing with security issues that depend on misusing long-standing web-platform features, Google launched XSLeaks Wiki in 2020 in an attempt to create an open-knowledge database, and analysing and compiling information about cross-site leak attacks.[30][33][34]

Since 2020, there has been some interest among the academic security community in standardizing the classification of these attacks. In 2020, Sudhodanan et al. were among the first to systematically summarize previous work in cross-site leaks, and developed a tool called BASTA-COSI that could be used to detect leaky URLs. [34][35] In 2021, Knittel et al. proposed a new formal model to evaluate and characterize cross-site leaks, allowing the researchers to find new leaks affecting several browsers. [34][36] In 2022, Van Goethem et al. evaluated currently available defences against these attacks and extended the existing model to consider the state of browser components as part of the model.[34][16] In 2023, a paper published by Rautenstrauch et al. systemizing previous research into cross-site leaks was awarded the Distinguished Paper Award at the IEEE Symposium of Security and Privacy.[37]

Types

Cross-site leaks comprise a highly varied range of attacks[38] for which there is no established, uniform classification.[39] However, multiple sources typically categorized these attacks by the leaking techniques used during an attack.[21] As of 2021, researchers have identified over 38 leak techniques that target components of the browser.[13] New techniques are typically discovered due to changes in web platform APIs, which are JavaScript interfaces that allow websites to query the browser for specific information.[40] Although the majority of these techniques involve directly detecting state changes in the victim web app, some attacks also exploit alterations in shared components within the browser to indirectly glean information about the victim web app.[21]

Timing attacks

Timing attacks rely on the ability to time specific events across multiple responses.[41] These were discovered by researchers at Stanford University in 2007, making them one of the oldest-known types of cross-site leak attacks.[28]

While initially used only to differentiate between the time it took for a HTTP request to resolve a response,[28] research performed after 2007 has demonstrated the use of this leak technique to detect other differences across web-app states. In 2017, Vila et al. showed timing attacks could infer cross-origin execution times across embedded contexts. This was made possible by a lack of site isolation features in contemporaneous browsers, which allowed an attacking website to slow down and amplify timing differences caused by differences in the amount of JavaScript being executed when events were sent to a victim web app.[42][43]

In 2021, Knittel et al. showed the Performance API[note 4] could leak the presence or absence of redirects in responses. This was possible due to a bug in the Performance API that allowed the amount of time shown to the user to be negative when a redirect occurred. Google Chrome subsequently fixed this bug.[45] In 2023, Snyder et al. showed timing attacks could be used to perform pool-party attacks in which websites could block shared resources by exhausting their global quota. By making the victim web app execute JavaScript that used these shared resources and then timing how long these executions took, the researchers were able to reveal information about the state of a web app. [46]

Error events

Error events is a leak technique that allows an attacker to distinguish between multiple responses by registering error-event handlers and listening for events through them. Due to their versatility and ability to leak a wide range of information, error events are considered a classic cross-site leak vector.[47]

One of the most-common use cases for error events in cross-site leak attacks is determining HTTP responses by attaching the event handlers onload and onerror event handlers to a HTML element and waiting for specific error events to occur. A lack of error events indicates no HTTP errors occurred. In contrast, if the handler onerror is triggered with a specific error event, the attacker can use that information to distinguish between HTTP content types, status codes and media-type errors.[48] In 2019, researchers from TU Darmstadt showed this technique could be used to perform a targeted deanonymization attack against users of popular web services such as Dropbox, Google Docs, and GitHub that allow users to share arbitrary content with each other.[49][50]

Since 2019, the capabilities of error events have been expanded. In 2020, Janc et al. showed by setting the redirect mode for a fetch request to manual, a website could leak information about whether a specific URL is a redirect.[51][43] Around the same time, Jon Masas and Luan Herrara showed by abusing URL-related limits, an attacker could trigger error events that could be used to leak redirect information about URLs.[52] In 2021, Knittel et al. showed error events that are generated by a sub-resource integrity check, a mechanism that is used to confirm a sub-resource a website loads has not been changed or compromised, could also be used to guess the raw content of an HTTP response and to leak the content-length of the response.[53][54]

Cache-timing attacks

Cache-timing attacks rely on the ability to infer hits and misses in shared caches on the web platform.[55] One of the first instances of a cache-timing attack involved the making of a cross-origin request to a page and then probing for the existence of the resources loaded by the request in the shared HTTP and the DNS cache. The paper describing the attack was written by researchers at Purdue University in 2000, and describes the attack's ability to leak a large portion of a user's browsing history by selectively checking if resources that are unique to a web page have been loaded.[56][55][57]

This attack has become increasingly sophisticated, allowing the leakage of other types of information. In 2014, Jia et al. showed this attack could geo-locate a person by measuring the time it takes for the localized domain of a group of multinational websites to load.[55][58][59] In 2015, Van Goethem et al. showed using the then-newly introduced application cache, a website could instruct the browser to disregard and override any caching directive the victim website sends. The paper also demonstrated a website could gain information about the size of the cached response by timing the cache access.[60][61]

Global limits

Global limits, which are also known as pool-party attacks, do not directly rely on the state of the victim web app. This cross-site leak was first discovered by Knittel et al. in 2020 and then expanded by Snyder et al. in 2023.[46] The attack to abuses global operating systems or hardware limitations to starve shared resources.[62] Global limits that could be abused include the number of raw socket connections that can be registered and the number of service workers that can be registered. An attacker can infer the state of the victim website by performing an activity that triggers these global limits and comparing any differences in browser behaviour when the same activity is performed without the victim website being loaded.[63] Since these types of attacks typically also require timing side channels, they are also considered timing attacks.[46]

Other techniques

In 2019, Gareth Heyes discovered that by setting the URL hash of a website to a specific value and subsequently detecting whether a loss of focus on the current web page occurred, an attacker could determine the presence and position of elements on a victim website.[64] In 2020, Knittel et al. showed an attacker could leak whether or not a Cross-Origin-Opener-Policy header was set by obtaining a reference to the window object of a victim website by framing the website or by creating a popup of the victim website. Using the same technique of obtaining window references, an attacker could also count the number of frames a victim website had through the window.length property.[45][65]

While newer techniques continue to be found, older techniques for performing cross-site leaks have become obsolete due to changes in the World Wide Web Consortium (W3C) specifications and updates to browsers. In December 2020, Apple updated its browser Safari's Intelligent Tracking Prevention (ITP) mechanism, rendering a variety of cross-site leak techniques researchers at Google had discovered ineffective.[66][67][68] Similarly, the widespread introduction of cache partitioning in all major browsers in 2020 has reduced the potency of cache-timing attacks.[69]

Defences

Despite being known about since 2000, most defences against cross-site leaks have been introduced after 2017.[70] Before the introduction of these defences, websites could defend against cross-site leaks by ensuring the same response was returned for all application states, thwarting the attacker's ability to differentiate the requests. This approach was infeasible for any non-trivial website. The second approach was to create session-specific URLs that would not work outside a user's session. This approach limits link sharing, and is thus infeasible and impractical.[26][71]

Most modern defences against cross-site leaks are extensions to the HTTP protocol that either prevent state changes, make cross-origin requests stateless, or completely isolate shared resources across multiple origins.[69]

Isolating shared resources

Raw data from the cache timing attack discussed in § Example. When cache partitioning is disabled, a clear distinction can be made between the cached and uncached responses, whereas, with cache partitioning, the two response times overlap.
  cached response
  un-cached response

One of the earliest and best-known methods of performing cross-site leaks was using the HTTP cache, an approach that relied on querying the browser cache for unique resources a victim's website might have loaded. By measuring the time it took for a cross-origin request to resolve an attacking website, one could determine whether the resource was cached and, if so, the state of the victim app.[24][72] As of October 2020, most browsers have implemented HTTP cache partitioning, drastically reducing the effectiveness of this approach.[73] HTTP cache partitioning works by multi-keying each cached request depending on which website requested the resource. This means if a website loads and caches a resource, the cached request is linked to a unique key generated from concatenating the resources URL and that of the requesting website. If another website attempts to access the same resource, the request will be treated as a cache miss unless that website has previously cached a identical request. This prevents an attacking website from deducing whether a resource has been cached by a victim website.[74][75][76]

Another, more developer-oriented feature that allows the isolation of execution contexts includes the Cross-Origin-Opener-Policy (COOP) header, which was originally added to address Spectre issues in the browser.[77][78] It has proved useful for preventing cross-site leaks because if the header is set with a same-origin directive as part of the response, the browser will disallow cross-origin websites from being able to hold a reference to the defending website when it is opened from a third-party page.[79][80][81]

As part of an effort to mitigate cross-site leaks, the developers of the browsers Chrome, Brave, Microsoft Edge, Firefox and Safari have implemented storage partitioning,[82] allowing all shared resources used by each website to be multi-keyed, dramatically reducing the number of inclusion techniques that can infer the states of a web app.[83]

Preventing state changes

Cross-site leak attacks depend on the ability of a malicious web page to receive cross-origin responses from the victim application. By preventing the malicious application from being able to receive cross-origin responses, the user is no longer in danger of having state changes leaked.[84] This approach is seen in defences such as the deprecated X-Frame-Options header and the newer frame-ancestors directive in Content-Security Policy headers, which allow the victim application to specify which websites can include it as an embedded frame.[85] If the victim app disallows the embedding of the website in untrusted contexts, the malicious app can no longer observe the response to cross-origin requests made to the victim app using the embedded frame technique.[86][87]

A similar approach is taken by the Cross-Origin Resource Blocking (CORB) mechanism and the Cross-Origin-Resource-Policy (CORP) header, which allows a cross-origin request to succeed but blocks the loading of the content in third-party websites if there is a mismatch between the content type that was expected and that which was received.[88] This feature was originally introduced as part of a series of mitigations against the Spectre vulnerability[89] but it has proved useful in preventing cross-origin leaks because it blocks the malicious web page from receiving the response and thus inferring state changes.[86][90][91]

Making cross-origin requests stateless

One of the most-effective approaches to mitigating cross-site leaks has been the use of the SameSite parameter in cookies. Once set to Lax or Strict, this parameter prevents the browser from sending cookies in most third-party requests, effectively making the request stateless.[note 5][91] Adoption of Same-Site cookies, however, has been slow because it requires changes in the way many specialized web servers, such as authentication providers, operate.[93] In 2020, the makers of the Chrome browser announced they would be turning on SameSite=Lax as the default state for cookies across all platforms.[94][95] Despite this, there are still cases in which SameSite=Lax cookies are not respected, such as Chrome's LAX+POST mitigation, which allows a cross-origin site to use a SameSite=Lax cookie in a request if and only if the request is sent while navigating the page and it occurs within two minutes of the cookie being set.[92] This has led to bypasses and workarounds against the SameSite=Lax limitation that still allow cross-site leaks to occur.[96][97]

Fetch metadata headers, which include the Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-User and Sec-Fetch-Dest header, which provide information about the domain that initiated the request, details about the request's initiation, and the destination of the request respectively to the defending web server, have also been used to mitigate cross-site leak attacks.[98] These headers allows the web server to distinguish between legitimate third-party, same-site requests and harmful cross-origin requests. By discriminating between these requests, the server can send a stateless response to malicious third-party requests and a stateful response to routine same-site requests.[99] To prevent the abusive use of these headers, a web app is not allowed to set these headers, which must only be set by the browser.[100][75]

See also

References

Notes

  1. ^ While there are other possible ways for interactions between web browsers and web servers to occur (such as the WebRTC protocol), in the context of cross-site leaks, only the HTTP interactions and WebSocket connections are considered important.[1] The rest of the article will assume the HTTP interactions and WebSocket connections are the only two ways for web browsers to interact with web servers.
  2. ^ This includes metadata associated with the response like status codes and HTTP headers[19]
  3. ^ An example of such a query could be the name of a well known bank, or the contact information of a person or organization that the user is expected to have interacted with.[20]
  4. ^ The Performance API is a set of Javascript functions that allow websites to retrieve various metrics associated with web performance[44]
  5. ^ Setting the Strict directive ensures that all cross-site requests are stateless, whereas Lax allows the browser to send cookies for non-state changing (i.e. GET or HEAD) requests which are sent while navigating to a different page from the cross-origin page.[92]

Citations

  1. ^ Knittel et al. 2021, pp. 1773, 1776.
  2. ^ "How the web works – Learn web development | MDN". MDN Web Docs. 24 July 2023. Archived from the original on 24 September 2023. Retrieved 1 October 2023.
  3. ^ Wagner, David; Weaver, Nicholas; Kao, Peyrin; Shakir, Fuzail; Law, Andrew; Ngai, Nicholas. "Cookies and Session Management". UC Berkeley CS-161 Computer Security Textbook. Retrieved 24 March 2024.
  4. ^ Sudhodanan, Khodayari & Caballero 2020, pp. 2–3.
  5. ^ Zalewski 2011, p. 15.
  6. ^ Schwenk, Niemietz & Mainka 2017, p. 713.
  7. ^ Zalewski 2011, p. 16.
  8. ^ Schwenk, Niemietz & Mainka 2017, p. 716.
  9. ^ Somé 2018, pp. 13–14.
  10. ^ "Same-origin policy - Security on the web | MDN". MDN Web Docs. 20 December 2023. Retrieved 24 March 2024.
  11. ^ a b Knittel et al. 2021, p. 1772.
  12. ^ Van Goethem et al. 2021, p. 1.
  13. ^ a b c d Van Goethem et al. 2022, p. 786.
  14. ^ Sudhodanan, Khodayari & Caballero 2020, p. 11.
  15. ^ a b Rautenstrauch, Pellegrino & Stock 2023, p. 2747.
  16. ^ a b c Van Goethem et al. 2022, p. 787.
  17. ^ a b Gelernter & Herzberg 2015, pp. 1399–1402.
  18. ^ a b Sudhodanan, Khodayari & Caballero 2020, p. 1.
  19. ^ a b Van Goethem et al. 2016, p. 448.
  20. ^ a b Gelernter & Herzberg 2015, p. 1400.
  21. ^ a b c Van Goethem et al. 2022, p. 788.
  22. ^ Rautenstrauch, Pellegrino & Stock 2023, p. 2745.
  23. ^ a b c Van Goethem et al. 2022, p. 785.
  24. ^ a b c Felten & Schneider 2000, p. 26.
  25. ^ a b Terjanq. "Mass XS-Search using Cache Attack – HackMD". GitHub. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  26. ^ a b Rautenstrauch, Pellegrino & Stock 2023, p. 2754.
  27. ^ Felten & Schneider 2000, pp. 25, 26, 27, 31.
  28. ^ a b c Bortz & Boneh 2007, pp. 623–625.
  29. ^ Gelernter & Herzberg 2015, pp. 1394–1397.
  30. ^ a b Walker, James (21 March 2019). "New XS-Leak techniques reveal fresh ways to expose user information". The Daily Swig. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  31. ^ Van Goethem et al. 2021, pp. 1, 6.
  32. ^ Herrera, Luan (31 March 2019). "XS-Searching Google's bug tracker to find out vulnerable source code". Medium. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  33. ^ Van Goethem et al. 2021, p. 10.
  34. ^ a b c d Rautenstrauch, Pellegrino & Stock 2023, p. 2756.
  35. ^ Sudhodanan, Khodayari & Caballero 2020, p. 2.
  36. ^ Knittel et al. 2021, p. 1773.
  37. ^ "IEEE Symposium on Security and Privacy 2023". sp2023.ieee-security.org. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  38. ^ Van Goethem et al. 2022, p. 784.
  39. ^ Rautenstrauch, Pellegrino & Stock 2023, p. 2748.
  40. ^ Rautenstrauch, Pellegrino & Stock 2023, pp. 2755–2756.
  41. ^ Van Goethem et al. 2022, pp. 796, 797.
  42. ^ Vila & Köpf 2017, pp. 851–853.
  43. ^ a b Van Goethem et al. 2022, p. 796.
  44. ^ "Performance - Web APIs | MDN". MDN Web Docs. 19 February 2023. Retrieved 11 March 2024.
  45. ^ a b Knittel et al. 2021, p. 1778.
  46. ^ a b c Snyder et al. 2023, p. 7095.
  47. ^ Knittel et al. 2021, p. 1775.
  48. ^ Knittel et al. 2021, pp. 1775, 1785.
  49. ^ Staicu & Pradel 2019, pp. 924, 930.
  50. ^ Zaheri, Oren & Curtmola 2022, p. 1505.
  51. ^ Knittel et al. 2021, p. 1785.
  52. ^ Knittel et al. 2021, pp. 1777, 1785.
  53. ^ Knittel et al. 2021, pp. 1778, 1782.
  54. ^ Van Goethem et al. 2022, p. 789.
  55. ^ a b c Mishra et al. 2021, p. 404.
  56. ^ Felten & Schneider 2000, pp. 25, 28, 29.
  57. ^ Bansal, Preibusch & Milic-Frayling 2015, p. 97.
  58. ^ Jia et al. 2015, pp. 1, 2.
  59. ^ Bansal, Preibusch & Milic-Frayling 2015, p. 99.
  60. ^ Van Goethem, Joosen & Nikiforakis 2015, pp. 1385, 1386.
  61. ^ Kim, Lee & Kim 2016, pp. 411–413.
  62. ^ Snyder et al. 2023, pp. 7096, 7097.
  63. ^ Knittel et al. 2021, pp. 1782, 1776–1778.
  64. ^ "XS-Leak: Leaking IDs using focus". PortSwigger Research. 8 October 2019. Archived from the original on 28 December 2023. Retrieved 28 December 2023.
  65. ^ Van Goethem et al. 2022, p. 797.
  66. ^ Ng, Alfred. "Google finds Apple Safari anti-tracking feature actually enabled tracking". CNET. Archived from the original on 11 December 2023. Retrieved 28 December 2023.
  67. ^ Wilander, John (10 December 2019). "Preventing Tracking Prevention Tracking". WebKit. Archived from the original on 16 November 2023. Retrieved 28 December 2023.
  68. ^ Janc, Artur; Kotowicz, Krzysztof; Weichselbaum, Lukas; Clapis, Roberto. "Information Leaks via Safari's Intelligent Tracking Prevention". Google Research. Archived from the original on 28 December 2023. Retrieved 28 December 2023.
  69. ^ a b Knittel et al. 2021, p. 1780.
  70. ^ Van Goethem et al. 2021, p. 16.
  71. ^ Zaheri & Curtmola 2021, p. 160.
  72. ^ Mishra et al. 2021, p. 399.
  73. ^ Doan et al. 2022.
  74. ^ Kitamura, Eiji (6 October 2020). "Gaining security and privacy by partitioning the cache". Chrome for Developers. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  75. ^ a b Van Goethem et al. 2021, p. 7.
  76. ^ Bannister, Adam (13 October 2020). "Google Chrome partitions browser HTTP cache to defend against XS-Leak attacks". The Daily Swig. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  77. ^ Reis, Moshchuk & Oskov 2019, p. 1674.
  78. ^ Van Goethem, Sanchez-Rola & Joosen 2023, p. 379.
  79. ^ Van Goethem et al. 2022, p. 792.
  80. ^ "Cross-Origin-Opener-Policy – HTTP | MDN". MDN Web Docs. 10 April 2023. Archived from the original on 31 October 2023. Retrieved 31 October 2023.
  81. ^ Kitamura, Eiji. "Making your website "cross-origin isolated" using COOP and COEP | Articles". web.dev. Archived from the original on 31 October 2023. Retrieved 31 October 2023.
  82. ^ Snyder et al. 2023, p. 7092.
  83. ^ "State Partitioning - Privacy on the web | MDN". MDN Web Docs. 24 July 2023. Retrieved 5 February 2024.
  84. ^ Van Goethem et al. 2022, p. 791.
  85. ^ Calzavara et al. 2020, pp. 684, 685.
  86. ^ a b Van Goethem et al. 2021, p. 5.
  87. ^ "X-Frame-Options – HTTP | MDN". MDN Web Docs. 25 July 2023. Archived from the original on 27 October 2023. Retrieved 29 October 2023.
  88. ^ "Cross-Origin Read Blocking (CORB)". Chromium Gerrit. Archived from the original on 7 November 2023. Retrieved 7 November 2023.
  89. ^ Reis, Moshchuk & Oskov 2019, pp. 1665, 1666.
  90. ^ "Cross-Origin Resource Policy (CORP) – HTTP | MDN". MDN Web Docs. 10 May 2023. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  91. ^ a b Knittel et al. 2021, p. 1781.
  92. ^ a b Khodayari & Pellegrino 2022, p. 1592.
  93. ^ Khodayari & Pellegrino 2022, p. 1590.
  94. ^ Khodayari & Pellegrino 2022, pp. 1596, 1600.
  95. ^ Compagna et al. 2021, pp. 50–51.
  96. ^ "Bypassing SameSite cookie restrictions | Web Security Academy". Portswigger Research. Archived from the original on 29 October 2023. Retrieved 29 October 2023.
  97. ^ Khodayari & Pellegrino 2022, pp. 1596–1598.
  98. ^ Weichselbaum, Lukas. "Protect your resources from web attacks with Fetch Metadata | Articles". web.dev. Archived from the original on 7 November 2023. Retrieved 7 November 2023.
  99. ^ Beer et al. 2021.
  100. ^ "Sec-Fetch-Site – HTTP | MDN". MDN Web Docs. 25 October 2023. Archived from the original on 29 October 2023. Retrieved 29 October 2023.

Sources

Further reading