Enforcing Content Security by Default within Web Browsers

摘要

Web browsers were initially designed to retrieve resources on the world wide web in a static manner such that adding security checks in select locations throughout the codebase sufficiently provided the necessary security guarantees of the web. Even though systematic security checks were always performed, those security checks were sprinkled throughout the codebase. Over time, various specifications for dynamically loading content have proven that such a scattered security model is error-prone. Instead of opting into security checks wherever resource loads are initiated throughout the codebase, we present an approach where security checks are performed by default. By equipping every resource load with a loading context (which includes information about who initiated the load, the load type, etc.), our approach enforces an opt-out security mechanism performing security checks by default by consulting a centralized security manager. In addition, the added load context allows to provide the same security guarantees for resource loads which encounter a server-side redirect.