The State of the Cross-domain Nation

By deploying a configuration that allows the creation of client-side, cross-domain HTTP requests, a Web application weakens the same-origin policy. This enables sophisticated browser-based interaction which is not possible in the standard model, but also may lead to insecurities. In this paper, we briefly cover the technical background of client-side, cross-domain requests and explore the resulting potential security problems. Then, we present an extensive empirical study on observable cross-domain configurations and conduct an analysis of the collected data to assess the fraction of potentially vulnerable sites. For this purpose, we collected the cross-domain policies of 1.093.127 Web sites. The results of our analysis show that 2,8% of all examined sites are potentially insecure, including 15.060 sites for which an exploitable condition can be predicted with a high level of confidence.