On the Incoherencies in Web Browser Access Control Policies

Web browsers´ access control policies have evolved piecemeal in an ad-hoc fashion with the introduction of new browser features. This has resulted in numerous incoherencies. In this paper, we analyze three major access control flaws in today´s browsers: (1) principal labeling is different for different resources, raising problems when resources interplay, (2) runtime changes to principal identities are handled inconsistently, and (3)browsers mismanage resources belonging to the user principal. We show that such mishandling of principals leads to many access control incoherencies, presenting hurdles for web developers to construct secure web applications. A unique contribution of this paper is to identify the compatibility cost of removing these unsafe browser features. To do this, we have built WebAnalyzer, a crawler-based framework for measuring real-world usage of browser features, and used it to study the top 100,000 popular web sites ranked by Alexa. Our methodology and results serve as a guideline for browser designers to balance security and backward compatibility.