A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web

Authors: 

Stefano Calzavara, Università Ca' Foscari Venezia; Sebastian Roth, CISPA Helmholtz Center for Information Security and Saarbrücken Graduate School of Computer Science; Alvise Rabitti, Università Ca' Foscari Venezia; Michael Backes and Ben Stock, CISPA Helmholtz Center for Information Security

Abstract: 

Click-jacking protection on the modern Web is commonly enforced via client-side security mechanisms for framing control, like the X-Frame-Options header (XFO) and Content Security Policy (CSP). Though these client-side security mechanisms are certainly useful and successful, delegating protection to web browsers opens room for inconsistencies in the security guarantees offered to users of different browsers. In particular, inconsistencies might arise due to the lack of support for CSP and the different implementations of the underspecified XFO header. In this paper, we formally study the problem of inconsistencies in framing control policies across different browsers and we implement an automated policy analyzer based on our theory, which we use to assess the state of click-jacking protection on the Web. Our analysis shows that 10% of the (distinct) framing control policies in the wild are inconsistent and most often do not provide any level of protection to at least one browser. We thus propose recommendations for web developers and browser vendors to mitigate this issue. Finally, we design and implement a server-side proxy to retrofit security in web applications.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {251564,
author = {Stefano Calzavara and Sebastian Roth and Alvise Rabitti and Michael Backes and Ben Stock},
title = {A Tale of Two Headers: A Formal Analysis of Inconsistent {Click-Jacking} Protection on the Web},
booktitle = {29th USENIX Security Symposium (USENIX Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {683--697},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/calzavara},
publisher = {USENIX Association},
month = aug
}

Presentation Video