2502                                   Journal of Software  软件学报 Vol.32, No.8,  August 2021

                 [65]    Cox RS, Hansen JG, Gribble SD, et al. A safety-oriented platform for Web applications. In: Proc. of the 2006 IEEE Symp. on
                      Security and Privacy (SP 2006). 2006. 350−364. [doi: 10.1109/SP.2006.4]
                 [66]    Karlof C, Shankar U, Tygar JD, et al. Dynamic pharming attacks and locked same-origin policies for Web browsers. In: Proc. of
                      the 2007  ACM SIGSAC  Conf. on  Computer  and  Communications Security (CCS 2007). 2007. 58−71. [doi: 10.1145/1315245.
                      1315254]
                 [67]    Dong X, Chen Z, Siadati H, et al. Protecting sensitive Web content from client-side vulnerabilities with CRYPTONS. In: Proc. of
                      the 2013 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2013). 2013. 1311−1324. [doi: 10.1145/2508859.
                      2516743]
                 [68]    Pan X, Cao Y, Liu S, et al. Cspautogen: Black-box enforcement of content security policy upon real-world Websites. In: Proc. of
                      the 2016 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2016). 2016. 653−665. [doi: 10.1145/2976749.
                      2978384]
                 [69]    Luo M, Laperdrix P, Honarmand N, et al. Time does not heal all wounds: A longitudinal analysis of security-mechanism support
                      in mobile browsers. In: Proc. of the 2019 Network and Distributed System Security Symp. (NDSS 2019). 2019.
                 [70]    Calzavara S, Rabitti A, Bugliesi M. Semantics-based analysis of content security policy deployment. ACM Trans. on the Web
                      (TWEB), 2018,12(2):1−36. [doi: 10.1145/3149408]
                 [71]    Roth S, Barron T, Calzavara S, et al. Complex security policy? A longitudinal analysis of deployed content security policies. In:
                      Proc. of the 2020 Network and Distributed System Security Symp. (NDSS 2020). 2020.
                 [72]    Calzavara S, Rabitti A, Bugliesi M. CCSP: Controlled relaxation of content security policies by runtime policy composition. In:
                      Proc. of the 2017 USENIX Security Symp. (USENIX Security 2017). 2017. 695−712.
                 [73]    Weichselbaum L, Spagnuolo M, Lekies S, et al. CSP is dead, long live CSP! On the insecurity of whitelists and the future of
                      content security policy. In: Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2016). 2016.
                      1376−1387. [doi: 10.1145/2976749.2978363]
                 [74]    Sudhodanan A, Carbone R, Compagna L, et al. Large-Scale analysis & detection of authentication cross-site request forgeries. In:
                      Proc. of the 2017 IEEE European Symp. on Security and Privacy (EuroS&P 2017). 2017. 350−365. [doi: 10.1109/EuroSP.2017.
                      45]
                 [75]    Grossman J. Advanced Web attack techniques using GMail. 2006. http://lists.webappsec.org/pipermail/websecurity_lists.webapps
                      ec.org/2006-January/000772.html
                 [76]    Kern C, Kesavan A, Daswani N. Foundations of Security: What Every Programmer Needs to Know. Apress, 2007.
                 [77]    Terada T. Identifier based XSSI attacks. MBSD Technical Whitepaper. 2015. https://www.mbsd.jp/Whitepaper/xssi.pdf
                 [78]    Zalewski M. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2012.
                 [79]    Staicu  CA, Pradel M.  Leaky images:  Targeted privacy attacks  in the Web. In: Proc. of the 2019  USENIX Security Symp.
                      (USENIX Security 2019). 2019. 923−939.
                 [80]    Harold ER. Block referer headers in firefox. 2006. http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/
                 [81]    Johnson A. The  referer  header, intranets and  privacy. 2007.  http://cephas.net/blog/2007/02/06/the-referer-header-intranets-and-
                      privacy/
                 [82]    Franken G, Van Goethem T, Joosen W. Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies.
                      In: Proc. of the 2018 USENIX Security Symp. (USENIX Security 2018). 2018. 151−168.
                 [83]    Franken G, Van Goethem T, Joosen W. Exposing cookie  policy  flaws through an extensive evaluation  of  browsers and their
                      extensions. In: Proc. of the 2019 IEEE Symp. on Security and Privacy (SP 2019). 2019. 25−34. [doi: 10.1109/MSEC.2019.29097
                      10]
                 [84]    Pellegrino G, Johns M, Koch S, et al. Deemon: Detecting CSRF with dynamic analysis and property graphs. In: Proc. of the 2017
                      ACM SIGSAC Conf. on Computer and Communications Security (CCS 2017). 2017. 1757−1771. [doi: 10.1145/3133956.31339
                      59]
                 [85]    Calzavara S, Conti M, Focardi R, et al. Mitch: A machine learning approach to the black-box detection of CSRF vulnerabilities.
                      In: Proc. of the 2019 IEEE European Symp. on Security and Privacy (EuroS&P 2019). 2019. 528−543. [doi: 10.1109/EuroSP.
                      2019.00045]