Least Privilege Access for Persistent Storage Mechanisms in Web Browsers

TL;DR

This paper proposes a fine-grained access control mechanism for browser persistent storage, using labels to restrict third-party scripts, and demonstrates its effectiveness and impact through empirical analysis and implementation in Firefox.

Contribution

It introduces a least privilege access control system for browser storage that enforces domain-specific permissions for third-party scripts.

Findings

89.84% of cookie accesses are by third-party scripts

90.98% of localstorage accesses are by third-party scripts

72.49% of IndexedDB accesses are by third-party scripts

Abstract

Web applications often include third-party content and scripts to personalize a user's online experience. These scripts have unrestricted access to a user's private data stored in the browser's persistent storage like cookies, localstorage and IndexedDB, associated with the host page. Various mechanisms have been implemented to restrict access to these storage objects, e.g., content security policy, the HttpOnly attribute with cookies, etc. However, the existing mechanisms provide an all-or-none access and do not work in scenarios where web applications need to allow controlled access to cookies and localstorage objects by third-party scripts. If some of these scripts behave maliciously, they can easily access and modify private user information that are stored in the browser objects. The goal of our work is to design a mechanism to enforce fine-grained control of persistent storage objects. We perform an empirical study of persistent storage access by third-party scripts on Tranco's top 10,000 websites and find that 89.84% of all cookie accesses, 90.98% of all localstorage accesses and 72.49% of IndexedDB accesses are done by third-party scripts. Our approach enforces least privilege access for third-party scripts on these objects to ensure their security by attaching labels to the storage objects that specify which domains are allowed to read from and write to these objects. We implement our approach on the Firefox browser and show that it effectively blocks scripts from other domains, which are not allowed access based on these labels, from accessing the storage objects. We show that our enforcement results in some functionality breakage in websites with the default settings, which can be fixed by correctly labeling the storage objects used by the third-party scripts.