COOKIEGUARD: Characterizing and Isolating the First-Party Cookie Jar
arxiv(2024)
摘要
As third-party cookies are going away, first-party cookies are increasingly
being used for tracking. Prior research has shown that third-party scripts
write (or ghost-write) first-party cookies in the browser's cookie jar
because they are included in the website's main frame. What is more is that a
third-party script is able to access all first-party cookies, both the actual
first-party cookies as well as the ghost-written first-party cookies by
different third-party scripts. Existing isolation mechanisms in the web browser
such as SOP and CSP are not designed to address this lack of isolation between
first-party cookies written by different third-parties. We conduct a
comprehensive analysis of cross-domain first-party cookie retrieval,
exfiltration, and modification on top-10K websites. Most notably, we find 18%
and 4% of the first-party cookies are exfiltrated and overwritten,
respectively, by cross-domain third-party scripts. We propose to
introduce isolation between first-party cookies set by different third-party
scripts in the main frame. To this end, intercepts cookie get and set
operations between third-party scripts and the browser's cookie jar to enforce
strict isolation between first-party cookies set by different third-party
domains. Our evaluation of shows that it effectively blocks all
cross-domain cookie read/write operations to provide a fully isolated cookie
jar. While it generally does not impact appearance, navigation, or other
website functionality, the strict isolation policy disrupts Single Sign-On
(SSO) on just 11% of websites that rely on first-party cookies for session
management. Our work demonstrates the feasibility of isolating first-party
cookies.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要