Web applications (web apps) have two primary components: a web browser and one or more web servers. The browser typically interacts with the servers via hyper text transfer protocol (HTTP) and WebSocket connections to deliver a web application.[note 1] Certain parts of the web application need to react to user input or other client-side logic; this is done by rendering HTML or CSS or by executing JavaScript as part of the process of delivering the website.[2] Often, these user interactions require the web app to make multiple requests to the server over extended periods. To keep track of such requests, web apps often use a persistent identifier tied to a specific user through their current session or user account. This account or session will have certain identifiable attributes, such as age or access level, reflecting the user's previous interactions with the web app. If revealed to other websites, these identifiable attributes might deanonymize the user.
In an ideal scenario, these user interactions and web server communications would be done so that no two web apps are allowed to interfere with each other. However, due to various design choices made during the early years of the web, web apps can regularly interact with each other. To prevent the abuse of this behavior, browser vendors have created a set of rules called the same-origin policy. The same-origin policy stipulates that only certain interactions between two web apps are allowed.[3] For example, the same-origin policy prevents a web app from arbitrarily reaching into another web app's execution context and interacting with it.[4] However, a web app can embed content from other web apps using frames or make requests to third-party sites via cross-origin requests.[5] Notably, however, the same-origin policy prevents other web apps from directly reading the contents of these cross-origin requests unless explicitly allowed through the cross-origin resource sharing (CORS) framework.
Cross-site leaks are a class of attacks that allow attackers to obtain information despite the restrictions imposed by the same-origin policy. Cross-site leaks leverage information-leakage issues (side channels) that have historically been present in browsers. Using the leaks, an attacker can execute code to infer information about the current state of a different execution context via cross-origin requests or by embedding the victim web app in the attacking web app.[6] The attacker can then access information about a user's previous interactions with a web app.[7]
Another
. However, due to
To securely isolate web applications from each other, the interactions between two web apps are governed by the same-origin policy.[8]
During this process, the web application changes between well-defined states.[8]
Cross-site leaks allow attackers to obtain information despite this cross-origin barrier. By using information-leakage issues (side channels), an attacker can execute code to infer information about the current state of a different execution context via cross-origin requests or by embedding the victim web app in the attacking web app.[6] The attacker can then access information about a user's previous browsing activity.[7]
- ^ Knittel et al. 2021, pp. 1773, 1776.
- ^ "How the web works – Learn web development | MDN". MDN Web Docs. 2023-07-24. Archived from the original on 2023-09-24. Retrieved 2023-10-01.
- ^ Schwenk, Niemietz & Mainka 2017, p. 713.
- ^ Schwenk, Niemietz & Mainka 2017, p. 716.
- ^ Somé 2018, pp. 13–14.
- ^ a b Knittel et al. 2021, p. 1772.
- ^ a b Van Goethem et al. 2021, p. 1.
- ^ a b Knittel et al. 2021, p. 1771.
Cite error: There are <ref group=note>
tags on this page, but the references will not show without a {{reflist|group=note}}
template (see the help page).