back the origin of these bypasses to a variety of different
causes. For instance, we found that same-site cookies
could still be attached to cross-site requests by levering
the prerendering functionality, which did not take these
policies correctly into account.
Furthermore, a design flaw in Chromium-based
browsers enabled a bypass for both the built-in third-
party cookie blocking option and tracking protection
provided by extensions. Through JavaScript embedded
in PDFs, which are rendered by a browser extension,
cookie-bearing POST requests can be sent to other do-
mains, regardless of the imposed policies. Additionally,
we discovered that not every implementation of the We-
bExtension API guarantees interception of every request.
This makes it impossible for extension developers to be
completely thorough in blocking or modifying undesir-
able requests.
Overall, we found that browser implementations ex-
hibited a highly inconsistent behavior with regard to en-
forcing policies on third-party requests, resulting in a
high number of bypasses. This demonstrates the need
for browsers, which continuously add new features, to
be thoroughly evaluated.
The results of this research suggest that policy imple-
mentations are prone to inconsistencies. That is why we
think that, as future research, the framework could be
extended to evaluate other policy implementations (e.g.
LocalStorage API [28], Content Security Policy [1]). In
addition to that, the evaluation of mobile browsers could
also be an interesting direction. This includes the mobile
counterparts of major browsers for iOS and Android, but
also mobile exclusives like Firefox Focus [36].
Acknowledgements
We would like to thank the reviewers for their insight-
ful comments. This research is partially funded by the
Research Fund KU Leuven.
References
[1] Content security policy level 3. W3C working draft, W3C, Sept.
2016. https://www.w3.org/TR/2016/WD-CSP3-20160913/.
[2] ACAR, G., EUBANK, C., ENGLEHARDT, S., JUAREZ, M.,
NARAYANAN, A., AND DIAZ, C. The Web Never Forgets: Per-
sistent Tracking Mechanisms in the Wild. Proceedings of the
2014 ACM SIGSAC Conference on Computer and Communica-
tions Security - CCS ’14 (2014), 674–689.
[3] AGGARWAL, G., BURSZTEIN, E., JACKSON, C., AND BONEH,
D. An analysis of private browsing modes in modern browsers. In
Proceedings of the 19th USENIX Conference on Security (Berke-
ley, CA, USA, 2010), USENIX Security’10, USENIX Associa-
tion, pp. 6–6.
[4] AYENSON, M., WAMBACH, D., SOLTANI, A., GOOD, N.,
AND HOOFNAGLE, C. Flash cookies and privacy II: Now with
HTML5 and ETag respawning.
[5] BARTH, A. HTTP State Management Mechanism. RFC 6265,
RFC Editor, April 2011.
[6] BARTH, A., JACKSON, C., AND MITCHELL, J. C. Robust de-
fenses for cross-site request forgery. In Proceedings of the 15th
ACM Conference on Computer and Communications Security
(New York, NY, USA, 2008), CCS ’08, ACM, pp. 75–88.
[7] BLOG, M. Firefox now offers a more private browsing ex-
perience. https://blog.mozilla.org/blog/2015/11/
03/firefox-now-offers-a-more-private-browsing-
experience/, 2015.
[8] BLOG, M. S. Supporting same-site cookies in firefox
60. https://blog.mozilla.org/security/2018/04/24/
same-site-cookies-in-firefox-60/, 2018.
[9] BORTZ, A., AND BONEH, D. Exposing private information by
timing web applications. In Proceedings of the 16th International
Conference on World Wide Web (New York, NY, USA, 2007),
WWW ’07, ACM, pp. 621–628.
[10] BUGREPLAY. Pornhub bypasses ad blockers with
WebSockets. https://medium.com/thebugreport/
pornhub-bypasses-ad-blockers-with-websockets-
cedab35a8323, 2016.
[11] CHROMIUM. chrome.webRequest.onBeforeRequest doesn’t in-
tercept WebSocket requests. https://bugs.chromium.org/
p/chromium/issues/detail?id=129353, 2012.
[12] COMSCORE. The impact of cookie deletion on site-server and
ad-server metrics in Australia, January 2011.
[13] ECKERSLEY, P. How unique is your web browser? In Proceed-
ings of the 10th International Conference on Privacy Enhanc-
ing Technologies (Berlin, Heidelberg, 2010), PETS’10, Springer-
Verlag, pp. 1–18.
[14] ENGLEHARDT, S., AND NARAYANAN, A. Online tracking: A
1-million-site measurement and analysis. In Proceedings of the
2016 ACM SIGSAC Conference on Computer and Communica-
tions Security (New York, NY, USA, 2016), CCS ’16, ACM,
pp. 1388–1401.
[15] FIELDING, R., GETTYS, J., MOGUL, J., FRYSTYK, H., MAS-
INTER, L., LEACH, P., AND BERNERS-LEE, T. Hypertext trans-
fer protocol – http/1.1. RFC 2616, RFC Editor, June 1999.
[16] GELERNTER, N., AND HERZBERG, A. Cross-site search attacks.
In Proceedings of the 22nd ACM SIGSAC Conference on Com-
puter and Communications Security (2015), ACM, pp. 1394–
1405.
[17] GITHUB. PDF.js. https://mozilla.github.io/pdf.js/.
[18] GOOGLE SOURCE. PDFium. https://pdfium.
googlesource.com/pdfium/.
[19] GRIGORIK, I., AND WEST, M. Reporting API. Tech. rep.,
November 2017.
[20] IQBAL, U., SHAFIQ, Z., AND QIAN, Z. The ad wars: Ret-
rospective measurement and analysis of anti-adblock filter lists.
pp. 171–183.
[21] JACKSON, C., AND BARTH, A. Beware of finer-grained origins.
[22] JANG, D., TATLOCK, Z., AND LERNER, S. Establishing browser
security guarantees through formal shim verification. In Pro-
ceedings of the 21st USENIX conference on Security symposium
(2012), USENIX Association, pp. 8–8.
[23] KONTAXIS, G., AND CHEW, M. Tracking Protection in Fire-
fox For Privacy and Performance. In IEEE Web 2.0 Security &
Privacy (2015).
[24] LEKIES, S., STOCK, B., WENTZEL, M., AND JOHNS, M. The
unexpected dangers of dynamic javascript. In 24th USENIX Secu-
rity Symposium (USENIX Security 15) (Washington, D.C., 2015),
USENIX Association, pp. 723–735.
164 27th USENIX Security Symposium USENIX Association