浏览器同源策略安全研究综述  被引量：7

作　　者：罗武[1,3] 沈晴霓 吴中海[2,3] 吴鹏飞 董春涛[2,3] 夏玉堂 LUO Wu;SHEN Qing-Ni;WU Zhong-Hai;WU Peng-Fei;DONG Chun-Tao;XIA Yu-Tang(School of Electronics Engineering and Computer Science,Peking University,Beijing 100871,China;School of Software and Microelectronics,Peking University,Beijing 100871,China;National Engineering Research Center for Software Engineering(Peking University),Beijing 100871,China)

机构地区：[1]北京大学信息科学技术学院,北京100871 [2]北京大学软件与微电子学院,北京100871 [3]软件工程国家工程研究中心(北京大学),北京100871

出　　处：《软件学报》2021年第8期2469-2504,共36页Journal of Software

基　　金：国家自然科学基金(61672062,61232005)。

摘　　要：随着云计算和移动计算的普及,浏览器应用呈现多样化和规模化的特点,浏览器的安全问题也日益突出.为了保证Web应用资源的安全性,浏览器同源策略被提出.目前,RFC6454、W3C和HTML5标准都对同源策略进行了描述与定义,诸如Chrome、Firefox、Safari、Edge等主流浏览器均将其作为基本的访问控制策略.然而,浏览器同源策略在实际应用中面临着无法处理第三方脚本引入的安全威胁、无法限制同源不同frame的权限、与其他浏览器机制协作时还会为不同源的frame赋予过多权限等问题,并且无法保证跨域/跨源通信机制的安全性以及内存攻击下的同源策略安全.对浏览器同源策略安全研究进行综述,介绍了同源策略的规则,并概括了同源策略的威胁模型与研究方向,主要包括同源策略规则不足及应对、跨域与跨源通信机制安全威胁及应对以及内存攻击下的同源策略安全,并且展望了同源策略安全研究的未来发展方向.With the popularity of cloud computing and mobile computing,browser applications show the characteristics of diversification and scale,and the browser security issues are increasingly prominent.To ensure the security of Web application resources,the browser’s same-origin policy is proposed.Since then,the introduction of the same-origin policy in RFC6454,W3C and HTML5 standards has driven modern browsers(e.g.,Chrome,Firefox,Safari,and Edge)to implement the same-origin policy as the basic access control policy.The same-origin policy,however,in practice,faces the problems including handling security threats introduced by the third-party scripts,limiting the permissions of same-origin frames,assigning more permissions for cross-origin frames when they collaborate with browser’s other mechanisms.It also cannot guarantee the safety of cross-domain or cross-origin communication mechanisms and the security under memory attacks.This paper reviews the existing researches on browser’s same-origin policy security.Firstly,this paper describes the same-origin policy rules,followed by summarizing the threat model for researches on same-origin policy and the research directions,including insufficient same-origin policy rules and defenses,attacks and defenses on cross-domain and cross-origin mechanisms,and same-origin policy security under memory attacks.Finally,this paper prospects the future research direction of browser’s same-origin policy security.

关 键 词：同源策略 浏览器安全 第三方脚本 跨源机制 内存攻击 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]