Page 187 - 《软件学报》2021年第8期

P. 187

软件学报 ISSN 1000-9825, CODEN RUXUEW E-mail: jos@iscas.ac.cn
Journal of Software,2021,32(8):2469−2504 [doi: 10.13328/j.cnki.jos.006153] http://www.jos.org.cn
©中国科学院软件研究所版权所有. Tel: +86-10-62562563

∗
浏览器同源策略安全研究综述

2,3
2,3
2,3
1,3
2,3
罗武 , 沈晴霓 , 吴中海 , 吴鹏飞 , 董春涛 , 夏玉堂 2,3
1
(北京大学信息科学技术学院,北京 100871)
2
(北京大学软件与微电子学院,北京 100871)
3 (软件工程国家工程研究中心(北京大学),北京 100871)
通讯作者: 吴中海, E-mail: wuzh@pku.edu.cn; 沈晴霓, E-mail: qingnishen@ss.pku.edu.cn

摘要: 随着云计算和移动计算的普及,浏览器应用呈现多样化和规模化的特点,浏览器的安全问题也日益突出.
为了保证 Web 应用资源的安全性,浏览器同源策略被提出.目前,RFC6454、W3C 和 HTML5 标准都对同源策略进行
了描述与定义,诸如 Chrome、Firefox、Safari、Edge 等主流浏览器均将其作为基本的访问控制策略.然而,浏览器同
源策略在实际应用中面临着无法处理第三方脚本引入的安全威胁、无法限制同源不同 frame 的权限、与其他浏览
器机制协作时还会为不同源的 frame 赋予过多权限等问题,并且无法保证跨域/跨源通信机制的安全性以及内存攻
击下的同源策略安全.对浏览器同源策略安全研究进行综述,介绍了同源策略的规则,并概括了同源策略的威胁模型
与研究方向,主要包括同源策略规则不足及应对、跨域与跨源通信机制安全威胁及应对以及内存攻击下的同源策略
安全,并且展望了同源策略安全研究的未来发展方向.
关键词: 同源策略;浏览器安全;第三方脚本;跨源机制;内存攻击
中图法分类号: TP311

中文引用格式: 罗武,沈晴霓,吴中海,吴鹏飞,董春涛,夏玉堂.浏览器同源策略安全研究综述.软件学报,2021,32(8):2469−2504.
http://www.jos.org.cn/1000-9825/6153.htm
英文引用格式: Luo W, Shen QN, Wu ZH, Wu PF, Dong CT, Xia YT. State-of-the-art survey of research on browser’s same-
origin policy security. Ruan Jian Xue Bao/Journal of Software, 2021,32(8):2469−2504 (in Chinese). http://www.jos.org.cn/1000-
9825/6153.htm
State-of-the-art Survey of Research on Browser’s Same-Origin Policy Security

2,3
1,3
2,3
2,3
2,3
LUO Wu , SHEN Qing-Ni , WU Zhong-Hai , WU Peng-Fei , DONG Chun-Tao , XIA Yu-Tang 2,3
1
(School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China)
2
(School of Software and Microelectronics, Peking University, Beijing 100871, China)
3
(National Engineering Research Center for Software Engineering (Peking University), Beijing 100871, China)
Abstract: With the popularity of cloud computing and mobile computing, browser applications show the characteristics of
diversification and scale, and the browser security issues are increasingly prominent. To ensure the security of Web application resources,
the browser’s same-origin policy is proposed. Since then, the introduction of the same-origin policy in RFC6454, W3C and HTML5
standards has driven modern browsers (e.g., Chrome, Firefox, Safari, and Edge) to implement the same-origin policy as the basic access
control policy. The same-origin policy, however, in practice, faces the problems including handling security threats introduced by the
third-party scripts, limiting the permissions of same-origin frames, assigning more permissions for cross-origin frames when they
collaborate with browser’s other mechanisms. It also cannot guarantee the safety of cross-domain or cross-origin communication
mechanisms and the security under memory attacks. This paper reviews the existing researches on browser’s same-origin policy security.
Firstly, this paper describes the same-origin policy rules, followed by summarizing the threat model for researches on same-origin policy

∗ 基金项目: 国家自然科学基金(61672062, 61232005)
Foundation item: National Natural Science Foundation of China (61672062, 61232005)
收稿时间: 2020-04-26; 修改时间: 2020-08-13; 采用时间: 2020-09-15; jos 在线出版时间: 2020-10-12

182 183 184 185 186 187 188 189 190 191 192