The State of the Cross-Domain Nation

By deploying a configuration that allows the creation of client-side, cross-domain HTTP requests, a Web application weakens the same-origin policy. This enables sophisticated browser-based interaction which is not possible in the standard model, but also may lead to insecurities. In this paper, the authors briefly cover the technical background of client-side, cross-domain requests and explore the resulting potential security problems. Then, they present an extensive empirical study on observable cross-domain configurations and conduct an analysis of the collected data to assess the fraction of potentially vulnerable sites.