Abstract:
Web applications often include third-party content and scripts to personalize a user's online experience. These scripts have unrestricted access to a user's private data stored in the browser's persistent storage like cookies and localstorage associated with the host page. However these third-party scripts can be compromised or may act maliciously and easily access and modify private user information like session-id, user consent, etc., that are stored in the browser.
We propose an approach to enforce least privilege access for third-party scripts on the web storage(cookies and localstorage) objects to ensure their security. We attach labels with the storage objects that specify which domains are allowed to read from and write to these objects on the page. We implement our approach on the Nightly Firefox build and show that it effectively blocks scripts from other domains, which are not allowed access based on these labels, from accessing the storage objects.