EvoSec 2025W Lecture 12
Readings
Discussion Questions
While these are questions to consider, please focus your discussion on what your group finds interesting related to the paper.
- How do modern security technologies like CORS, CSP, and CORP impact the problems identified in this paper?
- How does the rise of large platforms impact content-provider conflict?
- Did this paper change how you thought about the web?
Class Notes
Lecture 12 ---------- Plan for the rest of the semester is to read (some) my old papers - lots to think about trust Remember that you can and should critique these papers! G1 - confining JS goes against economic model of the web, maybe? - discussed what happened with Honey - rethinking the web as a "wild west" G2 - new tech defends against injection - increasing demands for ads, so increasing need for security - large platforms must enforce this security - browser extensions, particularly ad block, why do we trust them more than the ad itself? G3 - new tech prevents injection but not content-provider conflict, issues is JS environment - large providers increase risks of conflict - increased awareness of security issues with ads G4 - what do we do when legit businesses go bad? - centralization out-competed regular malware, you're already being spied on! - can't stop people being taken advantage of through tech - risk/reward impacts willingness for bad actors to be bad Terri later did ViSP, SOMA, and SSS (security style sheets) The real security issue in content-provider conflict is the DOM, not JS per se. The security solutions that get implemented on the web are the ones that serve the major platforms - not regular users page-level isolation mechanisms inhibit ad monitoring and ad security - avoiding click fraud