Oh, the Places You'll Go! Finding Our Way Back from the Web Platform's
In its transition from the original concept of a mesh of hypertext
documents into the world's most successful application ecosystem, the
open web platform has steadily, iteratively, accumulated a large
number of unsafe features and behaviors. These features lead to
vulnerabilities in web applications, enable attacks on web users, and
often add significant complexity to developers' mental models of the
web and to user-agent implementations.
In this paper, we start from a scattered list of concrete grievances
about the web platform based on informal discussions among browser-
and web security engineers. After reviewing the details of these
issues, we work towards a model of the root causes of the problems,
categorizing them based on the type of risk they introduce to the
platform. We then identify possible solutions for each class of
issues, dividing them by the most effective approach to address it.
In the end, we arrive at a general blueprint for backing out of these
dead ends. We propose a three-pronged approach which includes
changing web browser defaults, creating a slew of features for web
authors to opt out of dangerous behaviors, and adding new security
primitives. We then show how this approach can be practically applied
to address each of the individual problems, providing a conceptual
framework for solving unsafe legacy web platform behaviors
Information Leaks via Safari's Intelligent Tracking Prevention
Intelligent Tracking Prevention (ITP) is a privacy mechanism
implemented by Apple's Safari browser, released in October 2017. ITP
aims to reduce the cross-site tracking of web users by limiting the
capabilities of cookies and other website data.
As part of a routine security review, the Information Security
Engineering team at Google has identified multiple security and
privacy issues in Safari's ITP design. These issues have a number of
unexpected consequences, including the disclosure of the user's web
browsing habits, allowing persistent cross-site tracking, and
enabling cross-site information leaks (including cross-site search).
This report is a modestly expanded version of our original
vulnerability submission to Apple (WebKit bug #201319), providing
additional context and edited for clarity. A number of the issues
discussed here have been addressed in Safari 13.0.4 and iOS 13.3,
released in December 2019.
⌖ Google Research, 2020
CSP is dead, long live CSP! On the insecurity of whitelists and the
future of Content Security Policy.
Content Security Policy is a web platform mechanism designed to
mitigate cross-site scripting (XSS), the top security vulnerability
in modern web applications. In this paper, we take a closer look at
the practical benefits of adopting CSP and identify significant flaws
in real-world deployments that result in bypasses in 94.72% of all
We base our Internet-wide analysis on a search engine corpus of
approximately 100 billion pages from over 1 billion hostnames; the
result covers CSP deployments on 1,680,867 hosts with 26,011 unique
CSP policies — the most comprehensive study to date. We
introduce the security-relevant aspects of the CSP specification and
provide an in-depth analysis of its threat model, focusing on XSS
protections. We identify three common classes of CSP bypasses and
explain how they subvert the security of a policy.
We then turn to a quantitative analysis of policies deployed on the
Internet in order to understand their security benefits. We observe
that 14 out of the 15 domains most commonly whitelisted for loading
scripts contain unsafe endpoints; as a consequence, 75.81% of
distinct policies use script whitelists that allow attackers to
bypass CSP. In total, we find that 94.68% of policies that attempt to
limit script execution are ineffective, and that 99.34% of hosts
with CSP use policies that offer no benefit against XSS.
Finally, we propose the
'strict-dynamic' keyword, an
addition to the specification that facilitates the creation of
policies based on cryptographic nonces, without relying on
domain whitelists. We discuss our experience deploying such
a nonce-based policy in a complex application and provide
guidance to web authors for improving their policies.
Why Johnny can't browse in peace: On the uniqueness of web browsing
We present the results of the first large-scale study of the
uniqueness of Web browsing histories, gathered from a total of 368,284
Internet users who visited a history detection demonstration
Our results show that for a majority of users (69%), the
browsing history is unique and that users for whom we could detect at
least 4 visited websites were uniquely identified by their histories
in 97% of cases. We observe a significant rate of stability in
browser history fingerprints: for repeat visitors, 38% of
fingerprints are identical over time, and differing ones were
correlated with original history contents, indicating static browsing
preferences (for history subvectors of size 50). We report a striking
result that it is enough to test for a small number of pages in order
to both enumerate users' interests and perform an efficient and
unique behavioral fingerprint; we show that testing 50 web pages is
enough to fingerprint 42% of users in our database, increasing to 70%
with 500 web pages.
Finally, we show that indirect history data, such as information
about categories of visited websites can also be effective in
fingerprinting users, and that similar fingerprinting can be
performed by common script providers such as Google or Facebook.
Feasibility and real-world implications of web browser history
Browser history detection through the Cascading Style Sheets visited
pseudoclass has long been known to the academic security community
and browser vendors, but has been largely dismissed as an issue of
In this paper we present several crucial real-world considerations of
CSS-based history detection to assess the feasibility of conducting
such attacks in the wild. We analyze Web browser behavior and
detectability of content returned via various protocols and HTTP
response codes. We develop an algorithm for efficient examination of
large link sets and evaluate its performance in modern browsers.
Compared to existing methods our approach is up to 6 times faster,
and is able to detect as many as 30,000 links per second in recent
browsers on modern consumer-grade hardware.
We present a web-based system capable of effectively detecting
clients' browsing histories and categorizing detected
information. We analyze and discuss real-world results obtained from
271,576 Internet users. Our results indicate that at least 76% of
Internet users are vulnerable to history detection; for a test of
most popular Internet websites we were able to detect, on average, 62
visited locations. We also demonstrate the potential for detecting
private data such as zipcodes or search queries typed into online
forms. Our results confirm the feasibility of conducting attacks on
user privacy using CSS-based history detection and demonstrate that
such attacks are realizable with minimal resources.