{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:13:01Z","timestamp":1750306381345,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2016,5,30]],"date-time":"2016-05-30T00:00:00Z","timestamp":1464566400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,5,30]]},"DOI":"10.1145\/2897845.2897899","type":"proceedings-article","created":{"date-parts":[[2016,5,27]],"date-time":"2016-05-27T12:37:36Z","timestamp":1464352656000},"page":"853-864","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["Data Exfiltration in the Face of CSP"],"prefix":"10.1145","author":[{"given":"Steven","family":"Van Acker","sequence":"first","affiliation":[{"name":"Chalmers University of Technology, Gothenburg, Sweden"}]},{"given":"Daniel","family":"Hausknecht","sequence":"additional","affiliation":[{"name":"Chalmers University of Technology, Gothenburg, Sweden"}]},{"given":"Andrei","family":"Sabelfeld","sequence":"additional","affiliation":[{"name":"Chalmers University of Technology, Gothenburg, Sweden"}]}],"member":"320","published-online":{"date-parts":[[2016,5,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Preventing page navigation to untrusted sources. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2015Apr\/0259.html.  Preventing page navigation to untrusted sources. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2015Apr\/0259.html."},{"key":"e_1_3_2_1_2_1","unstructured":"window.name can be used as an XSS attack vector . https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=444222.  window.name can be used as an XSS attack vector . https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=444222."},{"key":"e_1_3_2_1_3_1","unstructured":"Adam barth. CSP and inline styles. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2012Oct\/0055.html.  Adam barth. CSP and inline styles. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2012Oct\/0055.html."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2010.27"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40203-6_41"},{"key":"e_1_3_2_1_6_1","unstructured":"Ariya Hidayat. PhantomJS. http:\/\/phantomjs.org.  Ariya Hidayat. PhantomJS. http:\/\/phantomjs.org."},{"key":"e_1_3_2_1_7_1","volume-title":"USENIX Security","author":"Barth A.","year":"2008","unstructured":"A. Barth , C. Jackson , and J. C. Mitchell . Securing frame communication in browsers . In USENIX Security , 2008 . A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. In USENIX Security, 2008."},{"key":"e_1_3_2_1_8_1","volume-title":"CoRR","author":"Born K.","year":"2010","unstructured":"K. Born . Browser-based covert data exfiltration . CoRR , 2010 . K. Born. Browser-based covert data exfiltration. CoRR, 2010."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242656"},{"key":"e_1_3_2_1_10_1","unstructured":"Brian Smith. Should CSP affect a Notification icon? https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2014Nov\/0137.html.  Brian Smith. Should CSP affect a Notification icon? https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2014Nov\/0137.html."},{"key":"e_1_3_2_1_11_1","unstructured":"CSP does not block favicon request. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1167259#c3.  CSP does not block favicon request. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1167259#c3."},{"key":"e_1_3_2_1_12_1","unstructured":"Chalmers CSE. Related materials. http:\/\/www.cse.chalmers.se\/research\/group\/security\/data-exfiltration-in-the-face-of-csp.  Chalmers CSE. Related materials. http:\/\/www.cse.chalmers.se\/research\/group\/security\/data-exfiltration-in-the-face-of-csp."},{"key":"e_1_3_2_1_13_1","volume-title":"W2SP","author":"Chen E. Y.","year":"2012","unstructured":"E. Y. Chen , S. Gorbaty , A. Singhal , and C. Jackson . Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control . In W2SP , 2012 . E. Y. Chen, S. Gorbaty, A. Singhal, and C. Jackson. Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control. In W2SP, 2012."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.20"},{"key":"e_1_3_2_1_15_1","unstructured":"Content Security Policy 1.1. http:\/\/www.w3.org\/TR\/2014\/WD-CSP11--20140211.  Content Security Policy 1.1. http:\/\/www.w3.org\/TR\/2014\/WD-CSP11--20140211."},{"key":"e_1_3_2_1_16_1","unstructured":"Content Security Policy 2.0. http:\/\/www.w3.org\/TR\/CSP\/.  Content Security Policy 2.0. http:\/\/www.w3.org\/TR\/CSP\/."},{"key":"e_1_3_2_1_17_1","unstructured":"Content Security Policy 3.0. http:\/\/w3c.github.io\/webappsec\/specs\/content-security-policy\/.  Content Security Policy 3.0. http:\/\/w3c.github.io\/webappsec\/specs\/content-security-policy\/."},{"key":"e_1_3_2_1_18_1","unstructured":"Controlling DNS prefetching. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Controlling_DNS_prefetching.  Controlling DNS prefetching. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Controlling_DNS_prefetching."},{"key":"e_1_3_2_1_19_1","unstructured":"Cure53. HTTPLeaks. https:\/\/github.com\/cure53\/HTTPLeaks.  Cure53. HTTPLeaks. https:\/\/github.com\/cure53\/HTTPLeaks."},{"key":"e_1_3_2_1_20_1","unstructured":"David Veditz. {CSP2} Preventing page navigation to untrusted sources. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2015Apr\/0270.html.  David Veditz. {CSP2} Preventing page navigation to untrusted sources. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2015Apr\/0270.html."},{"key":"e_1_3_2_1_21_1","unstructured":"Deian Stefan. WebAppSec re-charter status. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2015Feb\/0130.html.  Deian Stefan. WebAppSec re-charter status. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2015Feb\/0130.html."},{"key":"e_1_3_2_1_22_1","unstructured":"DNS Prefetching - The Chromium Projects. http:\/\/dev.chromium.org\/developers\/design-documents\/dns-prefetching.  DNS Prefetching - The Chromium Projects. http:\/\/dev.chromium.org\/developers\/design-documents\/dns-prefetching."},{"key":"e_1_3_2_1_23_1","unstructured":"StatCounter Global Stats. http:\/\/gs.statcounter.com\/.  StatCounter Global Stats. http:\/\/gs.statcounter.com\/."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/352600.352606"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382276"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-007-0076-7"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39235-1_6"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2014.03.007"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2011.5958207"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.36"},{"key":"e_1_3_2_1_31_1","unstructured":"Mike West. Remove paths from CSP? https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2014Jun\/0007.html.  Mike West. Remove paths from CSP? https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec\/2014Jun\/0007.html."},{"key":"e_1_3_2_1_32_1","volume-title":"Google Inc.","author":"Miller M. S.","year":"2008","unstructured":"M. S. Miller , M. Samuel , B. Laurie , I. Awad , and M. Stay . Caja - safe active content in sanitized JavaScript. Technical report , Google Inc. , June 2008 . M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008."},{"key":"e_1_3_2_1_33_1","volume-title":"LEET","author":"Monrose F.","year":"2010","unstructured":"F. Monrose and S. Krishnan . DNS prefetching and its privacy implications: When good things go bad . In LEET , 2010 . F. Monrose and S. Krishnan. DNS prefetching and its privacy implications: When good things go bad. In LEET, 2010."},{"key":"e_1_3_2_1_34_1","unstructured":"Re: dns-prefetch. http:\/\/permalink.gmane.org\/gmane.comp.mozilla.security\/4109.  Re: dns-prefetch. http:\/\/permalink.gmane.org\/gmane.comp.mozilla.security\/4109."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"e_1_3_2_1_36_1","unstructured":"OWASP. OWASP Top 10. https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project.  OWASP. OWASP Top 10. https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project."},{"key":"e_1_3_2_1_37_1","unstructured":"Resource hints. https:\/\/w3c.github.io\/resource-hints\/.  Resource hints. https:\/\/w3c.github.io\/resource-hints\/."},{"key":"e_1_3_2_1_38_1","unstructured":"RFC1034: Domain names - concepts and facilities.  RFC1034: Domain names - concepts and facilities."},{"key":"e_1_3_2_1_39_1","unstructured":"RFC1035: Domain names - implementation and specification.  RFC1035: Domain names - implementation and specification."},{"key":"e_1_3_2_1_40_1","unstructured":"SEC Consult: Content Security Policy (CSP) - Another example on application security and \"assumptions vs. reality\". http:\/\/blog.sec-consult.com\/2013\/07\/content-security-policy-csp-another.html.  SEC Consult: Content Security Policy (CSP) - Another example on application security and \"assumptions vs. reality\". http:\/\/blog.sec-consult.com\/2013\/07\/content-security-policy-csp-another.html."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813710"},{"key":"e_1_3_2_1_42_1","unstructured":"S. Souders. Velocity and the Bottom Line. http:\/\/radar.oreilly.com\/2009\/07\/velocity-making-your-site-fast.html.  S. Souders. Velocity and the Bottom Line. http:\/\/radar.oreilly.com\/2009\/07\/velocity-making-your-site-fast.html."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772784"},{"key":"e_1_3_2_1_44_1","volume-title":"USENIX OSDI","author":"Stefan D.","year":"2014","unstructured":"D. Stefan , E. Z. Yang , P. Marchenko , A. Russo , D. Herman , B. Karp , and D. Mazi\u00e8res . Protecting users by confining JavaScript with COWL . In USENIX OSDI , 2014 . D. Stefan, E. Z. Yang, P. Marchenko, A. Russo, D. Herman, B. Karp, and D. Mazi\u00e8res. Protecting users by confining JavaScript with COWL. In USENIX OSDI, 2014."},{"key":"e_1_3_2_1_45_1","volume-title":"Proceedings of the 19th USENIX Security","author":"Ter Louw M.","year":"2010","unstructured":"M. Ter Louw , K. T. Ganesh , and V. Venkatakrishnan . AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements . In Proceedings of the 19th USENIX Security , 2010 . M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In Proceedings of the 19th USENIX Security, 2010."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"S. Van Acker. Isolating and Restricting Client-Side JavaScript. PhD thesis KU Leuven 2015.  S. Van Acker. Isolating and Restricting Client-Side JavaScript. PhD thesis KU Leuven 2015.","DOI":"10.1007\/978-3-319-43005-8_2"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/2699026.2699118"},{"key":"e_1_3_2_1_48_1","unstructured":"W3C. public-webappsec@w3.org Mail Archives. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec.  W3C. public-webappsec@w3.org Mail Archives. https:\/\/lists.w3.org\/Archives\/Public\/public-webappsec."},{"key":"e_1_3_2_1_49_1","unstructured":"W3C. World Wide Web Consortium. http:\/\/www.w3.org\/.  W3C. World Wide Web Consortium. http:\/\/www.w3.org\/."},{"key":"e_1_3_2_1_50_1","volume-title":"Trends and Challenges in CSP Adoption. In RAID","author":"Weissbacher M.","year":"2014","unstructured":"M. Weissbacher , T. Lauinger , and W. K. Robertson . Why Is CSP Failing ? Trends and Challenges in CSP Adoption. In RAID , 2014 . M. Weissbacher, T. Lauinger, and W. K. Robertson. Why Is CSP Failing? Trends and Challenges in CSP Adoption. In RAID, 2014."},{"key":"e_1_3_2_1_51_1","unstructured":"M. Zalewski. Postcards from the post-XSS world. http:\/\/lcamtuf.coredump.cx\/postxss\/.  M. Zalewski. Postcards from the post-XSS world. http:\/\/lcamtuf.coredump.cx\/postxss\/."}],"event":{"name":"ASIA CCS '16: ACM Asia Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Xi'an China","acronym":"ASIA CCS '16"},"container-title":["Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897899","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2897845.2897899","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T05:07:01Z","timestamp":1750223221000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897899"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,5,30]]},"references-count":51,"alternative-id":["10.1145\/2897845.2897899","10.1145\/2897845"],"URL":"https:\/\/doi.org\/10.1145\/2897845.2897899","relation":{},"subject":[],"published":{"date-parts":[[2016,5,30]]},"assertion":[{"value":"2016-05-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}