Student Research Abstract: Least Privilege Persistent-Storage Access in Web Browsers
Pages 1797 - 1799
Abstract
Web applications often include third-party content and scripts to personalize a user's online experience. These scripts have unrestricted access to a user's private data stored in the browser's persistent storage like cookies and localstorage associated with the host page. However these third-party scripts can be compromised or may act maliciously and easily access and modify private user information like session-id, user consent, etc., that are stored in the browser.
We propose an approach to enforce least privilege access for third-party scripts on the web storage(cookies and localstorage) objects to ensure their security. We attach labels with the storage objects that specify which domains are allowed to read from and write to these objects on the page. We implement our approach on the Nightly Firefox build and show that it effectively blocks scripts from other domains, which are not allowed access based on these labels, from accessing the storage objects.
References
[1]
2023. Cookies Having Independent Partitioned State (CHIPS) - Chrome Developers. https://developer.chrome.com/en/docs/privacy-sandbox/chips/.
[2]
2023. Easylist. https://easylist-downloads.adblockplus.org/easylist_noadult.txt.
[3]
2023. Please Stop Using Local Storage - DEV Community. https://dev.to/rdegges/please-stop-using-local-storage-1i04.
[4]
2023. Usage Statistics of HttpOnly Cookies for Websites, September 2022. https://w3techs.com/technologies/details/ce-httponlycookies.
[5]
2023. Web Storage API. https://html.spec.whatwg.org/multipage/webstorage.html.
[6]
Zubair Ahmad, Samuele Casarin, and Stefano Calzavara. 2022. What Storage? An Empirical Analysis of Web Storage in the Wild. In Proceedings of the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) 2022. https://www.ndss-symposium.org/wp-content/uploads/madweb2022_23005_paper.pdf
[7]
Adam Barth. 2011. HTTP State Management Mechanism. RFC 6265.
[8]
Adam Barth. 2011. The Web Origin Concept. RFC 6454.
[9]
Quan Chen, Panagiotis Ilia, Michalis Polychronakis, and Alexandros Kapravelos. 2021. Cookie Swap Party: Abusing First-Party Cookies for Web Tracking. In Proceedings of the Web Conference 2021 (Ljubljana, Slovenia) (WWW '21). Association for Computing Machinery, New York, NY, USA, 2117--2129.
[10]
Microsoft Corporation. 2002. Mitigating Cross-Site Scripting with HTTP-only Cookies. http://msdn.microsoft.com/en-us/library/ms533046(VS.85).aspx.
[11]
Dylan J Cutler. 2022. Cookies Having Independent Partitioned State specification. https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/01/
[12]
Nurullah Demir, Daniel Theis, Tobias Urban, N. Pohlmann, and Norbert Pohlmann. 2022. Towards Understanding First-Party Cookie Tracking in the Field. In GI SICHERHEIT 2022, Ed.: C. Wressnegger (Lecture Notes in Informatics (LNI), Proceedings - Series of the Gesellschaft fur Informatik (GI), Vol. P-323). Gesellschaft für Informatik (GI), 19--34.
[13]
Jordan Jueckstock, Peter Snyder, Shaown Sarker, Alexandros Kapravelos, and Benjamin Livshits. 2022. Measuring the Privacy vs. Compatibility Trade-off in Preventing Third-Party Stateful Tracking. In Proceedings of the ACM Web Conference 2022 (Virtual Event, Lyon, France) (WWW '22). Association for Computing Machinery, New York, NY, USA, 710--720.
[14]
Soheil Khodayari and Giancarlo Pellegrino. 2022. The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. In 2022 IEEE Symposium on Security and Privacy (SP). 1590--1607.
[15]
Shaoor Munir, Sandra Siby, Umar Iqbal, Steven Englehardt, Zubair Shafiq, and Carmela Troncoso. 2022. COOKIEGRAPH: Measuring and Countering First-Party Tracking Cookies. arXiv preprint arXiv:2208.12370 (2022).
[16]
Andrew C. Myers and Barbara Liskov. 2000. Protecting Privacy Using the Decentralized Label Model. ACM Trans. Softw. Eng. Methodol. 9, 4 (oct 2000), 410--442.
Index Terms
- Student Research Abstract: Least Privilege Persistent-Storage Access in Web Browsers
Recommendations
A Performance Comparative on Most Popular Internet Web Browsers
AbstractOur reliance on the internet increases daily as it depends on the number of services implemented on the internet. With the growth of internet usage dramatically increasing, more users feel the need to explore and utilize it to the fullest. The ...
BrowStEx
Web storage or browser storage, a new client-side data storage feature, was recommended as a part of the HTML5 specifications and now widely adopted by major web browser vendors. Web storage with native browser support has changed the paradigm of web ...
An Empirical Analysis of Web Storage and Its Applications to Web Tracking
In this article, we present a large-scale empirical analysis of the use of web storage in the wild.By using dynamic taint tracking at the level of JavaScript and by performing an automated classification of the detected information flows, we shed light on ...
Comments
Information & Contributors
Information
Published In
April 2024
1898 pages
Copyright © 2024 Copyright held by the owner/author(s).
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s).
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 May 2024
Check for updates
Author Tags
Qualifiers
- Poster
Conference
SAC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 27Total Downloads
- Downloads (Last 12 months)27
- Downloads (Last 6 weeks)5
Reflects downloads up to 09 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in