• On the Integrity of Cross-Orig...

Result: On the Integrity of Cross-Origin JavaScripts

Title:
On the Integrity of Cross-Origin JavaScripts
Authors:
Ruohonen, Jukka, Salovaara, Joonas, Leppänen, Ville
Contributors:
Department of Future Technologies [Turku], University of Turku, Lech Jan Janczewski, Mirosław Kutyłowski, TC 11
Source:
33th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC). :385-398
Publisher Information:
HAL CCSD; Springer International Publishing, 2018.
Publication Year:
2018
Collection:
collection:IFIP
collection:IFIP-AICT
collection:IFIP-TC
collection:IFIP-TC11
collection:IFIP-SEC
collection:IFIP-AICT-529
Subject Terms:
same-origin, cross-domain, remote inclusion, subresource integrity, [INFO]Computer Science [cs]
Subject Geographic:
Poznan, Poland
Original Identifier:
HAL: hal-02023735
Document Type:
Conference conferenceObject<br />Conference papers
Language:
English
Relation:
info:eu-repo/semantics/altIdentifier/doi/10.1007/978-3-319-99828-2_27
DOI:
10.1007/978-3-319-99828-2_27
Access URL:
https://hal.inria.fr/hal-02023735
https://hal.inria.fr/hal-02023735/document
https://hal.inria.fr/hal-02023735/file/472722_1_En_27_Chapter.pdf
Rights:
info:eu-repo/semantics/OpenAccess
URL: http://creativecommons.org/licenses/by/
Accession Number:
edshal.hal.02023735v1
Database:
HAL

Further Information

Part 4: Software Security / Attacks
The same-origin policy is a fundamental part of the Web. Despite the restrictions imposed by the policy, embedding of third-party JavaScript code is allowed and commonly used. Nothing is guaranteed about the integrity of such code. To tackle this deficiency, solutions such as the subresource integrity standard have been recently introduced. Given this background, this paper presents the first empirical study on the temporal integrity of cross-origin JavaScript code. According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, (i) temporal integrity changes are relatively common; (ii) the adoption of the subresource integrity standard is still in its infancy; and (iii) it is possible to statistically predict whether a temporal integrity change is likely to occur. With these results and the accompanying discussion, the paper contributes to the ongoing attempts to better understand security and privacy in the current Web.