{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:14:44Z","timestamp":1763968484717,"version":"3.40.5"},"reference-count":36,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/spw54247.2022.9833880","type":"proceedings-article","created":{"date-parts":[[2022,7,25]],"date-time":"2022-07-25T20:14:47Z","timestamp":1658780087000},"page":"342-352","source":"Crossref","is-referenced-by-count":4,"title":["On the Security of Parsing Security-Relevant HTTP Headers in Modern Browsers"],"prefix":"10.1109","author":[{"given":"Hendrik","family":"Siewert","sequence":"first","affiliation":[{"name":"Paderborn University"}]},{"given":"Martin","family":"Kretschmer","sequence":"additional","affiliation":[{"name":"IT.NRW"}]},{"given":"Marcus","family":"Niemietz","sequence":"additional","affiliation":[{"name":"Niederrhein University of Applied Sciences"}]},{"given":"Juraj","family":"Somorovsky","sequence":"additional","affiliation":[{"name":"Paderborn University"}]}],"member":"263","reference":[{"year":"2021","key":"ref33","article-title":"Fetch Living Standard: CORS-preflight fetch"},{"year":"2021","key":"ref32","article-title":"Fetch Living Standard: CORS check"},{"year":"2021","key":"ref31","article-title":"Fetch Living Standard"},{"article-title":"Embedding should require explicit opt-in","year":"2020","author":"west","key":"ref30"},{"year":"2021","key":"ref36","article-title":"HTML Living Standard: The &#x2018;X-Frame-Options&#x2018; header"},{"year":"2021","key":"ref35","article-title":"HTML"},{"year":"2021","key":"ref34","article-title":"Fetch Living Standard: extract header values"},{"article-title":"Exploiting CORS misconfigurations for bitcoins and bounties","year":"2018","author":"kettle","key":"ref10"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484739"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23162"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23149"},{"year":"0","key":"ref15","article-title":"Cross-Origin Resource Sharing (CORS)"},{"year":"2020","key":"ref16","article-title":"CSP: frame-ancestors"},{"year":"2020","key":"ref17","article-title":"Strict-Transport-Security"},{"journal-title":"X-Frame-Options","year":"2020","key":"ref18"},{"article-title":"Large scale analysis of CORS misconfigurations","year":"2017","author":"m\u00fcller","key":"ref19"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978363"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.17487\/rfc2616"},{"year":"2021","key":"ref27","article-title":"Content Security Policy Level 3"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.17487\/rfc5246"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-08593-7_8"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11379-1_11"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.17487\/rfc7230"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.17487\/rfc6797"},{"article-title":"Top 1 Million Analysis","year":"2020","author":"helme","key":"ref7"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.17487\/rfc5234"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/2771783.2771789"},{"key":"ref1","first-page":"683","article-title":"A tale of two headers: A formal analysis of inconsistent Click-Jacking protection on the web","author":"calzavara","year":"2020","journal-title":"29th USENIX Security Symposium (USENIX Security 20)"},{"key":"ref20","article-title":"Analysis of UI redressing attacks and countermeasures","author":"niemietz","year":"2019","journal-title":"PhD thesis Ruhr University Bochum Germany"},{"year":"2021","key":"ref22","article-title":"Official git mirror of the We-bKit repository"},{"year":"2016","key":"ref21","article-title":"Bug 165508 - Add wildcard to Access-Control-Allow-Methods and Access-Control-Allow-"},{"key":"ref24","article-title":"Busting frame busting: a study of clickjacking vulnerabilities at popular sites","author":"rydstedt","year":"2010","journal-title":"IEEE Oakland Web 2 0 Security and Privacy (W2SP 2010)"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.17487\/rfc7034"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23244"},{"key":"ref25","first-page":"713","article-title":"Same-Origin policy: Evaluation in modern browsers","author":"schwenk","year":"2017","journal-title":"26th USENIX Security Symposium (USENIX Security 17)"}],"event":{"name":"2022 IEEE Security and Privacy Workshops (SPW)","start":{"date-parts":[[2022,5,22]]},"location":"San Francisco, CA, USA","end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Security and Privacy Workshops (SPW)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833855\/9833856\/09833880.pdf?arnumber=9833880","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,8,15]],"date-time":"2022-08-15T20:02:39Z","timestamp":1660593759000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833880\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":36,"URL":"https:\/\/doi.org\/10.1109\/spw54247.2022.9833880","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}