Evaluation Of Cookie Sameorigin Policy For Web Application Security

Web applications have pervaded every corner of industry and personal life.Web application security plays an important role and has an important impact on all aspects of the social operation.As an important information storage method for Web applications,cookies hold key information in the operation of Web applications.Its security is an important part of Web security.Although cookie same-origin policy is the core policy that restricts the access permissions of cookies,the cookie same-origin policy is just an abstract principle.The implementation of cookie same-origin policy on modern browser are different,which can lead to problems like accidental sending or setting of cookies,etc.This paper focuses on the cookie sameorigin policy and its implementation.The purpose of this research is to clarify the specific rules of the browser's same-origin policy,that is,in which Web context which request triggering technology can carry or set cookies,and to analyze the resulting rules and their deficiencies for further improvement.This paper proposes a new perspective for researching the same-origin policy.It regards the same-origin policy as the access control policy for cookies and regards the software module in the browser that follows the same-origin policy and is responsible for setting and sending cookies as a cookie access control system.Then this paper applies access control system research methods and quality assessment methods to research same-origin policy.The cookie access control system is a black box for researchers,this paper consequently describes its functions through access control rules,which are mainly composed of some measurable and controllable access control factors and the main access operations of cookies.Based on these factors and operations,this paper designs and implements the corresponding test framework.Based on the commonly used request triggering methods,a typical test case is designed to test the mainstream 5 browsers,and specific cookie access control rules are obtained.Finally,this paper abstracts the test rules into an access control model corresponding to the cookie access control system and uses this access control model to evaluate the quality of the cookie access control system,analyze the current advantages and disadvantages of the system,and analyze the deficiencies put forward corresponding improvement suggestions.