Rethinking the Use of Resource Hints in HTML5: Is Faster Always Better!?

Authors

  • N. Vlajic Department of Electrical Engineering and Computer Science, York University, Toronto, Canada
  • X. Y. Shi Department of Electrical Engineering and Computer Science, York University, Toronto, Canada
  • H. Roumani Department of Electrical Engineering and Computer Science, York University, Toronto, Canada
  • P. Madani Department of Electrical Engineering and Computer Science, York University, Toronto, Canada

DOI:

https://doi.org/10.13052/2245-1439.625

Keywords:

Resource hints, Unsolicited Web requests, User privacy, User reputation, Browser forensics, Web attacks, HTML5, Chrome

Abstract

To date, much of the development in Web-related technologies has been driven by the users’ quest for ever faster and more intuitive WWW. One of the most recent trends in this development is built around the idea that a user’s WWW experience can further be improved by predicting and/or preloading Web resources that are likely sought by the user, ahead of time. Resource hints is a set of features introduced in HTML5 and intended to support the idea of predictive preloading in the WWW. Inspite of the fact that resource hints were originally intended to enhance the online user experience, their introduction has unfortunately created a vulnerability that can be exploited to attack the user’s privacy, security and reputation, or to turn the user’s computer into a bot that can compromise the integrity of business analytics. In this article we outline six different scenarios (i.e., attacks) in which the resource hints could end up turning the browser into a dangerous tool that acts without the knowledge of and/or against its very own user. What makes these attacks particularly concerning is the fact that they are extremely easy to execute, and they do not require that any form of client-side malware be implanted on the user machine. While one of the attacks is (just) a new form of the well-known cross-site request forgery attacks, the other attacks have not been addressed much or at all in the research literature. Through this work, we ultimate hope to make the wider Internet community critically rethink the way the resource hints are implemented and used in today’sWWW.

 

Downloads

Download data is not yet available.

Author Biographies

N. Vlajic, Department of Electrical Engineering and Computer Science, York University, Toronto, Canada

Natalija Vlajic is an Associate Professor at the Lassonde School of Enginee- ring, York University. The main areas of her research include: user privacy and anonymity, DDoS, Internet bots and botnets, network and application-layer security, IoT security, machine learning. Prof. Vlajic has co-authored numerous journal and conference articles on a range of topic pertaining to computer security and privacy. She currently serves as an Associate Editor of IEEE Communication Magazine.

X. Y. Shi, Department of Electrical Engineering and Computer Science, York University, Toronto, Canada

Xue Ying Shi is currently working for Tier1CRM Inc. as a full stack software developer developing CRM related applications. She received B.Eng. in Computer Engineering from York University in June 2017. She was a recipient of the Undergraduate Student Research Award from Lassonde School of Engineering, at York University, in the Summer of 2016.

H. Roumani, Department of Electrical Engineering and Computer Science, York University, Toronto, Canada

Hamzeh Roumani received his Ph.D. in Theoretical Particle Physics in 1980 from the University of Illinois and has since been in academia at various Physics and Computer Science departments. His main area of interest is computer security and quantum computing. Hamzeh is a 3M Fellow and a recipient of numerous awards including the Ontario Leadership, the York University-Wide Award, the Faculty of Science Excellence in Teaching, the Lassonde Educator of the Year, and the Computer Science Mildred Baptist award.

P. Madani, Department of Electrical Engineering and Computer Science, York University, Toronto, Canada

Pooria Madani is a Ph.D. candidate at the Lassonde School of Engineering, York University, specializing in the areas of computer security and privacy, as well as adversarial machine learning. He obtained his M.Sc. from University of New Brunswick in 2015.

References

Web Browser for Android Wear (2017). Google Play. Available at: https://play.google.com/store/apps/details?id=com.appfour.wearbrowser&hl=en

Grigorik, I. (2013). High performance browser networking: What every web developer should know about networking and web performance. “O’Reilly Media, Inc.”

Resource Hints (2016). W3C Working Draft. Available at: https://www.w3.org/TR/resource-hints/

StatCounter Global Stats (2015). Top 5 Desktop, Tablet & Console Browsers. Available at: http://gs.statcounter.com/?PHPSESSID=oc1i9oue7por39rmhqq2eouoh0

Arthur, C. (2013). Why the default settings on your device should be right first time. theguardian.com, Available at: https://www.theguardian.com/technology/2013/dec/01/default-settings-change-phones-computers

Bichler, M. (2001). The future of e-markets: Multidimensional market mechanisms. Cambridge University Press.

February 2016 Web Server Survey. Netcraft (2016). Available at: https://news.netcraft.com/archives/2016/02/22/february-2016-web-server-survey.html

Grigorik, I. (2013). High Performance Networking in Google Chrome. Available at: https://www.igvita.com/posa/high-performance-networking-in-google-chrome/

Jackson, B. (2016). Resource Hints – What is Preload, Prefetch and Preconnect? KeyCDN Blog. Available at: https://www.keycdn.com/blog/resource-hints/

W3Tech Web Technology Surveys (2016). Usage of Cookies for Websites. Available at: https://w3techs.com/technologies/details/ce-cookies/all/all

Deveria, A. (2017). Can I use ____________? Available at: https://caniuse.com/

Gelernter, N., Grinstein, Y., and Herzberg, A. (2015). Cross-site framing attacks. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC’15), CA, USA, 161–170. ACM.

Rydstedt, G., Bursztein, E., Boneh, D., and Jackson, C. (2010). Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. In IEEE Symposium on Security and Privacy (S&P’10). Oakland, California.

PC World. (2008). The Julie Amero Case: A Dangerous Farce. Available at: http://www.pcworld.com/article/154768/julie_amero.html

The Register. (2009). How malware frames the innocent for child abuse. Available at: https://www.theregister.co.uk/2009/11/09/malware_child_abuse_images_frame_up/

Burp. Available at: https://portswigger.net/vulnerability-scanner/

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet (2017). OWASP, Available at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Basit, A., and Vlajic. N. (2017). CSRF Attack Using HTML5 Resource Hints: A New Face of an Old Enemy. In IEEE Cyber Science and Technology Congress.

Bujlow, T., Carela-Español, V., Solé-Pareta, J., and Barlet-Ros, P. (2017). A Survey on Web Tracking: Mechanisms, Implications, and Defenses. In Proceedings of the IEEE, 105.

Snyder, P., and Kanich, C. (2015, December). No Please, After You: Detecting Fraud in Affiliate Marketing Networks. In WEIS, Amsterdam, Netherlands. Available at: https://www.cs.uic.edu/∼ckanich/papers/snyder2015noplease.pdf

Downloads

Published

2017-11-19

How to Cite

1.
Vlajic N, Shi XY, Roumani H, Madani P. Rethinking the Use of Resource Hints in HTML5: Is Faster Always Better!?. JCSANDM [Internet]. 2017 Nov. 19 [cited 2025 Feb. 15];6(2):195-226. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5219

Issue

2017: Vol 6 Iss 2

Section

Articles