This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives
Sept. 2011 (vol. 44 no. 9)
pp. 29-36
Hossein Saiedian, University of Kansas
Dan S. Broyles, Sprint Nextel
The same-origin policy, a fundamental security mechanism within Web browsers, overly restricts Web application development while creating an ever-growing list of security holes, reinforcing the argument that the SOP is not an appropriate security model.

1. A. Rubin and D. Geer, "A Survey of Web Security," Computer, Sept. 1998, pp. 34-41.
2. J. Mischel, "Browser Applications and the Same Origin Policy," informIT,6 Aug. 2010; www.informit.com/guidescontent.aspx?g=dotnet&seqNum=809 .
3. J. Grossman, "Cross-Site Request Forgery: The Sleeping Giant," WhiteHat Security, July 2007; www.whitehatsec.com/home/assetsWPCSRF072307.pdf .
4. A. Barth, C. Jackson, and J.C. Mitchell, "Robust Defenses for Cross-Site Request Forgery," Proc. 15th ACM Conf. Computer and Communications Security (CCS 08), ACM Press, 2008, pp. 75-87.
5. K. Jayaraman et al., "ESCUDO: A Fine-grained Protection Model for Web Browsers," Proc. IEEE 30th Int'l Conf. Distributed Computing Systems (ICDCS 10), IEEE CS Press, 2010, pp. 231-240.
6. J. Grossman, "Cross-Site Scripting Worms and Viruses: The Impending Threat and the Best Defense," WhiteHat Security, Apr. 2006; http://net-security.org/dl/articlesWHXSSThreats.pdf .
7. C. Karlof et al., "Dynamic Pharming Attacks and Locked Same-Origin Policies for Web Browsers," Proc. 14th ACM Conf. Computer and Communications Security (CCS 07), ACM Press, 2007, pp. 58-71.
8. M. Curphey and R. Arawo, "Web Application Security Assessment Tools," IEEE Security & Privacy, July/Aug. 2006, pp. 32-41.
9. S. Crites, F. Hsu, and H. Chen, "OMash: Enabling Secure Web Mashups via Object Abstractions," Proc. 15th ACM Conf. Computer and Communications Security (CCS 08), ACM Press, 2008, pp. 99-107.
10. T. Schreiber, "Session Riding: A Widespread Vulnerability in Today's Web Applications," SecureNet GmbH, Dec. 2004; www.securenet.de/papersSession_Riding.pdf .

Index Terms:
Security, Web browsers, Web applications, Same-origin policy (SOP), Cross-site request forgery (CSRF), Cross-site scripting (XSS)
Citation:
Hossein Saiedian, Dan S. Broyles, "Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives," Computer, vol. 44, no. 9, pp. 29-36, Sept. 2011, doi:10.1109/MC.2011.226
Usage of this product signifies your acceptance of the Terms of Use.