摘要
现代Web应用中广泛使用Cookie保存信息,而信息安全中个人隐私保护的一个重要方向就是Cookie的保护。一般认为,Cookie的写入与发送遵守Web文档的同源策略,但是对于Cookie的源的定义并不清晰,加之能触发HTTP请求的手段很多,Cookie的发送与写入规则即特定的Cookie在哪些Web文档中能用何种手段发送也不甚明了,这些模糊性增加了Cookie泄露的风险。为了厘清这些规则,降低信息泄露的风险,提出了一种对Cookie写入与发送规则的规范描述方式,并依据所需描述的规则,设计且实现了关于Cookie同源策略的测试框架。
Cookies are widely used in modern web applications to save information,and an important aspect of personal privacy protection in information security is the protection of cookies.It is generally believed that the writing and sending of cookies follow the same-origin policy of Web documents.However,the definition of the source of a cookie is not clear.In addition,there are many ways to trigger an HTTP request.The rules for sending and writing cookies,that is,which web documents can be used to send specific cookies,are not clear.These ambiguities increase the risk of cookie leakage.In order to clarify these rules and reduce the risk of information leakage,a standardized description method of cookie writing and sending rules is proposed.According to the rules needed to be described,a testing framework for cookie homology strategy is designed and implemented.
作者
梁浩喆
马进
陈秀真
杨潇
LIANG Hao-zhe;MA Jin;CHEN Xiu-zhen;YANG Xiao(School of Cyber Security,Shanghai Jiaotong University,Shanghai 200240,China;Shanghai Key Laboratory of Integrated Administration Technologies for Information Security,Shanghai 200240,China)
出处
《通信技术》
2019年第12期3039-3045,共7页
Communications Technology
