A4 Refereed article in a conference publication
On the Integrity of Cross-Origin JavaScripts
Authors: Ruohonen Jukka, Salovaara Joonas, Leppänen Ville
Editors: Lech Jan Janczewski, Miroslaw Kutylowski
Conference name: IFIP International Conference on ICT Systems Security and Privacy Protection
Publication year: 2018
Journal: IFIP Advances in Information and Communication Technology
Book title : ICT Systems Security and Privacy Protection: 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18-20, 2018, Proceedings
Series title: IFIP Advances in Information and Communication Technology
Volume: 529
First page : 385
Last page: 398
ISBN: 978-3-319-99827-5
DOI: https://doi.org/10.1007/978-3-319-99828-2_27
Web address : https://link.springer.com/chapter/10.1007/978-3-319-99828-2_27
Self-archived copy’s web address: https://arxiv.org/abs/1809.05628
The cross-origin policy is a fundamental part of the world
wide web. Despite the restrictions imposed by the policy, embedding of
third-party JavaScript code is allowed and commonly used. Nothing is
guaranteed about the integrity of such code. To tackle this deficiency,
solutions such as the subresource integrity standard have been recently
introduced. Given this background, this paper presents the first empirical
study on the temporal integrity of cross-origin JavaScript code. According
to the empirical results based on a ten day polling period of over 35
thousand scripts collected from popular websites, (i) temporal integrity
changes are relatively common; (ii) the adoption of the subresource integrity
standard is still in its infancy; and (iii) it is possible to statistically
predict whether a temporal integrity change is likely to occur. With these
results and the accompanying discussion, the paper makes an important
contribution to the research on the security and privacy in the Web.
