Cookies have become an important aspect of the modern-day web. By default, browsers automatically attach cookies to all HTTP requests. This allows users to keep track which items they have added to their online shopping basket, or simply to log in to their favorite websites. However, cookies may also be exploited for more nefarious goals: users' online activies are tracked at large-scale by various advertising companies, or so-called cross-site attacks can be used to take over the account of an unwitting user. As a response to this increasing threat surface, a variety of defense mechanisms have been developed: either as anti-tracking or ad-blocking browser extensions, or as built-in browser features such as the Tracking Protection in Firefox, or SameSite cookies, which can be highly effective at thwarting cross-site attacks.
An important prerequisite for these privacy- and security-enhancing features to function properly, is that all requests need to comply with the imposed cookie policies. As browsers have become enormously complex, certain edge-cases may have been overlooked or the interplay of specific features may have unwanted side-effects. In our research, we created a framework to verify whether all imposed cookie- and request-policies are correctly applied (will be made available soon). Worryingly, we found that most mechanisms could be circumvented: for instance for all ad-blocking and anti-tracking browser extensions we discovered at least one technique that could bypass the policies. For the technical details of these findings, we invite you to read our paper, which was presented at USENIX Security ’18.
We have been working with browser vendors and extension developers to mitigate the discovered issues. To verify whether you are affected by our detected bypasses, feel free to explore the data on this website (please note that we are still working to have the most up-to-date information available).
Jun 28, 2018
Requests to cross-site blacklisted domains can still be sent using various mechanisms in Opera, while their built-in ad blocker is enabled.
Jun 28, 2018
The same-site cookie policy implemented by Edge can be bypassed through multiple mechanisms.
Jun 13, 2018
When enabling the option to block third-party cookies (called "allow cookies from current website only" in Safari 10), cookies that are set in a first-party context are still included in cross-site requests. It seems that only the setting of cookies is blocked, but not the sending of cookies.
Jun 11, 2018
Third-party cookies are still included in all requests when enabling the option to block these in Edge.
Apr 25, 2018
JavaScript embedded in PDF files can be used to send GET or POST requests to a cross-site domain. In Chromium this bypasses the option to block third-party cookies.
Mar 22, 2018
Extensions such as ad blockers or privacy extensions cannot intercept requests initiated by PDF files opened in Chrome or Opera through the WebExtension API.
Mar 22, 2018
Various mechanisms can be leveraged to bypass Firefox Tracking Protection. This way, cross-site requests directed at blacklisted domains can be sent while this countermeasurement is enabled.
Mar 22, 2018
It is difficult for extension developers to distinguish requests initiated by browsers background processes from requests initiated by websites.
Jan 27, 2018
Extensions for Firefox are not able to intercept (cross-site) requests to fetch the favicon through the WebExtension API.
Apr 10, 2017
Prerender functionality can be leveraged to initiate cross-site requests including same-site cookies assigned the value strict. This bug was not detected anymore for multiple versions starting from Chrome 62, however, the bug returned starting from Chrome 66.