{"id":"https://openalex.org/W7166880259","doi":"https://doi.org/10.1145/3805773.3805993","title":"Origin Story: A Comprehensive Lifecycle Analysis of Same-Origin Policy Bugs","display_name":"Origin Story: A Comprehensive Lifecycle Analysis of Same-Origin Policy Bugs","publication_year":2026,"publication_date":"2026-06-30","ids":{"openalex":"https://openalex.org/W7166880259","doi":"https://doi.org/10.1145/3805773.3805993"},"language":null,"primary_location":{"id":"doi:10.1145/3805773.3805993","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3805773.3805993","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2026 ACM Secure Development Conference","raw_type":"proceedings-article"},"type":"conference-paper","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3805773.3805993","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5139742159","display_name":"Jakub Szymsza","orcid":"https://orcid.org/0009-0004-6596-3817"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Jakub Szymsza","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0009-0004-6596-3817","affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5026610847","display_name":"Gertjan Franken","orcid":"https://orcid.org/0000-0002-4859-8027"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Gertjan Franken","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0002-4859-8027","affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050475190","display_name":"Vik Vanderlinden","orcid":"https://orcid.org/0000-0002-6142-8057"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Vik Vanderlinden","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0002-6142-8057","affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5061602585","display_name":"Tom Van Goethem","orcid":"https://orcid.org/0000-0001-6846-9081"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Tom Van Goethem","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0001-6846-9081","affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5065091484","display_name":"Mathy Vanhoef","orcid":"https://orcid.org/0000-0002-8971-9470"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Mathy Vanhoef","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0002-8971-9470","affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5081256404","display_name":"Lieven Desmet","orcid":"https://orcid.org/0000-0001-5155-7472"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Lieven Desmet","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium"],"raw_orcid":"https://orcid.org/0000-0001-5155-7472","affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I99464096"],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"14","last_page":"29"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.84170001745224,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.84170001745224,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.044599998742341995,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.030400000512599945,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/security-policy","display_name":"Security policy","score":0.49239999055862427},{"id":"https://openalex.org/keywords/system-lifecycle","display_name":"System lifecycle","score":0.4799000024795532},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.3221000134944916},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.27379998564720154},{"id":"https://openalex.org/keywords/application-security","display_name":"Application security","score":0.2685000002384186}],"concepts":[{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.49239999055862427},{"id":"https://openalex.org/C35280785","wikidata":"https://www.wikidata.org/wiki/Q559486","display_name":"System lifecycle","level":4,"score":0.4799000024795532},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.45260000228881836},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.4106000065803528},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.36809998750686646},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.3221000134944916},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.288100004196167},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.2840999960899353},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.27379998564720154},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.27250000834465027},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.2685000002384186},{"id":"https://openalex.org/C2779977028","wikidata":"https://www.wikidata.org/wiki/Q1493813","display_name":"Gap analysis (conservation)","level":3,"score":0.26460000872612},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.26019999384880066}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3805773.3805993","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3805773.3805993","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2026 ACM Secure Development Conference","raw_type":"proceedings-article"},{"id":"pmh:oai:lirias2repo.kuleuven.be:20.500.12942/789071","is_oa":true,"landing_page_url":"https://lirias.kuleuven.be/handle/20.500.12942/789071","pdf_url":"https://lirias.kuleuven.be/retrieve/f577c491-446c-4995-95fc-3e2985e75efc","source":{"id":"https://openalex.org/S7407055369","display_name":"Lirias","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"ACM Secure Development (SecDev) Conference 2026, Montreal, Canada","raw_type":"info:eu-repo/semantics/conferenceObject"}],"best_oa_location":{"id":"doi:10.1145/3805773.3805993","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3805773.3805993","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2026 ACM Secure Development Conference","raw_type":"proceedings-article"},"sustainable_development_goals":[{"score":0.45316675305366516,"id":"https://metadata.un.org/sdg/12","display_name":"Responsible consumption and production"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":19,"referenced_works":["https://openalex.org/W1974977720","https://openalex.org/W2019982354","https://openalex.org/W2025874281","https://openalex.org/W2044969874","https://openalex.org/W2072978486","https://openalex.org/W2113247363","https://openalex.org/W2129630219","https://openalex.org/W2255369088","https://openalex.org/W2510134782","https://openalex.org/W2575436837","https://openalex.org/W2726232829","https://openalex.org/W3214196324","https://openalex.org/W4281396748","https://openalex.org/W4311165836","https://openalex.org/W4388856986","https://openalex.org/W4408749806","https://openalex.org/W4408749848","https://openalex.org/W4414594130","https://openalex.org/W4416549345"],"related_works":[],"abstract_inverted_index":{"The":[0],"Same-Origin":[1],"Policy":[2,105],"(SOP)":[3],"serves":[4],"as":[5],"the":[6,26,79],"web's":[7],"fundamental":[8],"security":[9,87],"mechanism,":[10],"isolating":[11],"resources":[12],"between":[13],"different":[14],"web":[15],"origins":[16],"to":[17,46,97],"prevent":[18],"malicious":[19],"cross-site":[20],"interactions.":[21],"Despite":[22],"its":[23],"critical":[24],"role,":[25],"SOP":[27,56,86],"lacks":[28],"a":[29,41],"unified":[30],"formal":[31],"specification":[32],"and":[33,48,68,91],"has":[34,53,60],"evolved":[35],"informally":[36],"over":[37],"decades,":[38],"resulting":[39],"in":[40],"fragmented":[42],"implementation":[43],"landscape":[44],"prone":[45],"bypasses":[47],"inconsistencies.":[49],"While":[50],"prior":[51],"research":[52],"examined":[54],"specific":[55],"flaws,":[57],"no":[58],"study":[59],"systematically":[61],"analyzed":[62],"how":[63],"these":[64],"bugs":[65,88],"are":[66],"introduced":[67],"resolved":[69],"throughout":[70],"their":[71],"lifecycle.":[72],"We":[73],"address":[74],"this":[75],"gap":[76],"by":[77,94],"conducting":[78],"first":[80],"comprehensive":[81],"lifecycle":[82],"analysis":[83],"of":[84],"97":[85],"across":[89],"Chromium":[90],"Firefox,":[92],"enabled":[93],"our":[95],"extensions":[96],"BugHog\u2014a":[98],"framework":[99],"previously":[100],"used":[101],"on":[102],"Content":[103],"Security":[104],"(CSP)":[106],"bugs.":[107]},"counts_by_year":[],"updated_date":"2026-07-14T23:27:15.235271","created_date":"2026-07-02T00:00:00"}
