Abstract
The web execution model allows third-party JavaScript to be leveraged in a single execution context. Access control for these scripts is currently all or nothing. It has been this way for over a decade despite the knowledge that this model allows for privacy violations and even user data exfiltration. Consequently, users have little to no control over which third-parties operate on their Personally Identifying Information (PII) when interacting with a web application. In this work we aim to explain the lack of solutions to this problem, and to suggest more promising future directions. We first survey past proposed solutions and their trade-offs. We then create a monitoring system in the Firefox browser which captures third-party script access to user supplied PII in HTML Form Elements. We proceed to inspect 100,000 websites with our Monitor and custom web crawler to highlight the complexity of use cases of third-party scripts operating on user PII. Our findings inform the creation of a grading rubric and systematization for solutions in this space, which we then apply to many previous works. The complexity exposed through this effort allows us to start a discussion around why current technological and policy solutions fail adoption. Ultimately we propose a research direction that allows web applications to take advantage of the interoperability of the web execution model while also respecting an end user's privacy and security.
Paper version not known (
Free)
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call