Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
The Same Origin Policy is the foremost security policy in all browsers. Like most browser code, it underwent a significant amount of changes to keep up with the recent development for HTML5. This talk covers the Same Origin Policy implemented in modern browsers. It goes into detail where browsers behave similarly and where differences occur. The presentation of noteworthy exceptions, regardless of whether they are intended or have evolved out of legacy features, is then followed by an analysis of previous flaws. We identify parsing mismatches as the key source of policy bypasses and suggest methods to analyze and test browser code with regard to this discovery. The talk also gives an outlook into things that may come and evaluates the origin as a measure to bind authority for HTML5 APIs. Using our methods we have also identified security issues in the Java Runtime Environment and Mozilla Firefox, which will be presented in the end