{"id":"https://openalex.org/W4287884574","doi":"https://doi.org/10.1109/spw54247.2022.9833880","title":"On the Security of Parsing Security-Relevant HTTP Headers in Modern Browsers","display_name":"On the Security of Parsing Security-Relevant HTTP Headers in Modern Browsers","publication_year":2022,"publication_date":"2022-05-01","ids":{"openalex":"https://openalex.org/W4287884574","doi":"https://doi.org/10.1109/spw54247.2022.9833880"},"language":"en","primary_location":{"id":"doi:10.1109/spw54247.2022.9833880","is_oa":false,"landing_page_url":"https://doi.org/10.1109/spw54247.2022.9833880","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Security and Privacy Workshops (SPW)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5031103010","display_name":"Hendrik Siewert","orcid":null},"institutions":[{"id":"https://openalex.org/I206945453","display_name":"Paderborn University","ror":"https://ror.org/058kzsd48","country_code":"DE","type":"education","lineage":["https://openalex.org/I206945453"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Hendrik Siewert","raw_affiliation_strings":["Paderborn University"],"affiliations":[{"raw_affiliation_string":"Paderborn University","institution_ids":["https://openalex.org/I206945453"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5014209822","display_name":"Martin Kretschmer","orcid":"https://orcid.org/0000-0002-4088-6569"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Martin Kretschmer","raw_affiliation_strings":["IT.NRW"],"affiliations":[{"raw_affiliation_string":"IT.NRW","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5034652773","display_name":"Marcus Niemietz","orcid":"https://orcid.org/0009-0006-1726-8099"},"institutions":[{"id":"https://openalex.org/I4210113269","display_name":"Hochschule Niederrhein","ror":"https://ror.org/027b9qx26","country_code":"DE","type":"education","lineage":["https://openalex.org/I4210113269"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Marcus Niemietz","raw_affiliation_strings":["Niederrhein University of Applied Sciences"],"affiliations":[{"raw_affiliation_string":"Niederrhein University of Applied Sciences","institution_ids":["https://openalex.org/I4210113269"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5091741421","display_name":"Juraj Somorovsky","orcid":"https://orcid.org/0000-0002-3593-7720"},"institutions":[{"id":"https://openalex.org/I206945453","display_name":"Paderborn University","ror":"https://ror.org/058kzsd48","country_code":"DE","type":"education","lineage":["https://openalex.org/I206945453"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Juraj Somorovsky","raw_affiliation_strings":["Paderborn University"],"affiliations":[{"raw_affiliation_string":"Paderborn University","institution_ids":["https://openalex.org/I206945453"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5031103010"],"corresponding_institution_ids":["https://openalex.org/I206945453"],"apc_list":null,"apc_paid":null,"fwci":1.8189,"has_fulltext":false,"cited_by_count":6,"citation_normalized_percentile":{"value":0.88160048,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"342","last_page":"352"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9976999759674072,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9972000122070312,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8351008296012878},{"id":"https://openalex.org/keywords/header","display_name":"Header","score":0.6238909959793091},{"id":"https://openalex.org/keywords/testbed","display_name":"Testbed","score":0.5588765144348145},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.5244781374931335},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5214954614639282},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.494415283203125},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.4608269929885864},{"id":"https://openalex.org/keywords/json","display_name":"JSON","score":0.445739209651947},{"id":"https://openalex.org/keywords/parsing","display_name":"Parsing","score":0.4370405972003937},{"id":"https://openalex.org/keywords/web-browser","display_name":"Web browser","score":0.430703341960907},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.3041183650493622},{"id":"https://openalex.org/keywords/web-service","display_name":"Web service","score":0.19775426387786865},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.13937675952911377},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.13021698594093323},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.08676940202713013}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8351008296012878},{"id":"https://openalex.org/C48105269","wikidata":"https://www.wikidata.org/wiki/Q1141160","display_name":"Header","level":2,"score":0.6238909959793091},{"id":"https://openalex.org/C31395832","wikidata":"https://www.wikidata.org/wiki/Q1318674","display_name":"Testbed","level":2,"score":0.5588765144348145},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.5244781374931335},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5214954614639282},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.494415283203125},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.4608269929885864},{"id":"https://openalex.org/C2780416260","wikidata":"https://www.wikidata.org/wiki/Q2063","display_name":"JSON","level":2,"score":0.445739209651947},{"id":"https://openalex.org/C186644900","wikidata":"https://www.wikidata.org/wiki/Q194152","display_name":"Parsing","level":2,"score":0.4370405972003937},{"id":"https://openalex.org/C2983909278","wikidata":"https://www.wikidata.org/wiki/Q6368","display_name":"Web browser","level":3,"score":0.430703341960907},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.3041183650493622},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.19775426387786865},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.13937675952911377},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.13021698594093323},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.08676940202713013},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/spw54247.2022.9833880","is_oa":false,"landing_page_url":"https://doi.org/10.1109/spw54247.2022.9833880","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Security and Privacy Workshops (SPW)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.7799999713897705,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":23,"referenced_works":["https://openalex.org/W181628467","https://openalex.org/W200873936","https://openalex.org/W2008251338","https://openalex.org/W2044969874","https://openalex.org/W2270231484","https://openalex.org/W2291769357","https://openalex.org/W2300554752","https://openalex.org/W2510134782","https://openalex.org/W2746937343","https://openalex.org/W2752565799","https://openalex.org/W2793272611","https://openalex.org/W2904027722","https://openalex.org/W2948008293","https://openalex.org/W2962940036","https://openalex.org/W3009588933","https://openalex.org/W3214196324","https://openalex.org/W4210531213","https://openalex.org/W4230642148","https://openalex.org/W6742708382","https://openalex.org/W6743729700","https://openalex.org/W6773787941","https://openalex.org/W6906355099","https://openalex.org/W6941734204"],"related_works":["https://openalex.org/W2548409577","https://openalex.org/W1531015913","https://openalex.org/W3180404666","https://openalex.org/W2407701912","https://openalex.org/W1484631816","https://openalex.org/W2167752994","https://openalex.org/W2907218437","https://openalex.org/W2181766705","https://openalex.org/W4245700610","https://openalex.org/W2033988509"],"abstract_inverted_index":{"Web":[0],"browsers":[1,23,204,215],"are":[2,24,93,191],"among":[3],"the":[4,14,32,50,59,65,109,139,144,148,170,194,207,225,236,246,252],"most":[5],"important":[6],"but":[7],"also":[8],"complex":[9],"software":[10],"solutions":[11],"to":[12,48,81,102,169,206,223],"access":[13],"web.":[15],"It":[16],"is":[17,62,242],"therefore":[18],"not":[19,167,243,261],"surprising":[20],"that":[21,165,203],"web":[22],"an":[25,177],"attractive":[26],"target":[27],"for":[28,221],"attackers.":[29],"Especially":[30],"in":[31,97,118,193,251],"last":[33],"decade,":[34],"security":[35,60,91],"researchers":[36],"and":[37,73,106,116,143,163,209,231,263],"browser":[38,104,155],"vendors":[39],"have":[40,79],"developed":[41],"sandboxing":[42],"mechanisms":[43],"like":[44],"security-relevant":[45,68],"HTTP":[46,69,140],"headers":[47,92,115,119],"tackle":[49],"problem":[51],"of":[52,64,67,85,147,196],"getting":[53],"a":[54,239],"more":[55],"secure":[56],"browser.":[57],"Although":[58],"community":[61],"aware":[63],"importance":[66],"headers,":[70,160],"legacy":[71],"applications":[72],"individual":[74],"requests":[75],"from":[76],"different":[77,198],"parties":[78],"led":[80],"possible":[82],"insecure":[83],"configurations":[84],"these":[86],"headers.":[87],"Even":[88],"if":[89,235],"specific":[90],"configured":[94],"correctly,":[95],"conflicts":[96,117],"their":[98,151],"functionalities":[99],"may":[100],"lead":[101],"unforeseen":[103],"behaviors":[105,156],"vulnerabilities.":[107],"Recently,":[108],"first":[110],"work":[111,152,201],"which":[112,186,241],"analyzed":[113],"duplicated":[114,159],"was":[120],"published":[121],"by":[122,136,153,245],"Calzavara":[123],"et":[124],"al.":[125],"at":[126,185],"USENIX":[127],"Security":[128],"[1].":[129],"The":[130],"authors":[131],"focused":[132],"on":[133],"inconsistent":[134],"protections":[135],"using":[137],"both,":[138],"header":[141,237],"X-Frame-Options":[142],"framing":[145],"protection":[146,253],"Content-Security-Policy.We":[149],"extend":[150],"analyzing":[154],"when":[157,218],"parsing":[158,224],"conflicting":[161],"directives,":[162],"values":[164],"do":[166],"conform":[168,205],"defined":[171,247],"ABNF":[172],"metalanguage":[173],"specification.":[174],"We":[175],"created":[176],"open-source":[178],"testbed":[179],"running":[180],"over":[181],"19,800":[182],"test":[183,189],"cases,":[184],"nearly":[187],"300":[188],"cases":[190],"executed":[192],"set":[195],"66":[197],"browsers.":[199],"Our":[200],"shows":[202],"specification":[208],"behave":[210,216,233],"securely.":[211],"However,":[212],"all":[213],"tested":[214],"differently":[217,234],"it":[219],"comes,":[220],"example,":[222],"Strict-Transport-Security":[226],"header.":[227],"Moreover,":[228],"Chrome,":[229],"Safari,":[230],"Firefox":[232],"contains":[238],"character,":[240],"allowed":[244],"ABNF.":[248],"This":[249],"results":[250],"mechanism":[254],"being":[255],"fully":[256],"enforced,":[257,259],"partially":[258],"or":[260],"enforced":[262],"thus":[264],"completely":[265],"bypassable.":[266]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}