{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T15:55:40Z","timestamp":1783007740014,"version":"3.54.5"},"publisher-location":"New York, New York, USA","reference-count":34,"publisher":"ACM Press","license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Science Foundation","award":["1314823"],"award-info":[{"award-number":["1314823"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1145\/3178876.3186091","type":"proceedings-article","created":{"date-parts":[[2018,4,13]],"date-time":"2018-04-13T15:53:48Z","timestamp":1523634828000},"page":"247-256","source":"Crossref","is-referenced-by-count":21,"title":["Uncovering HTTP Header Inconsistencies and the Impact on Desktop\/Mobile Websites"],"prefix":"10.1145","author":[{"given":"Abner","family":"Mendoza","sequence":"first","affiliation":[{"name":"Texas A&M University, College Station, TX, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Phakpoom","family":"Chinprutthiwong","sequence":"additional","affiliation":[{"name":"Texas A&M University, College Station, TX, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Guofei","family":"Gu","sequence":"additional","affiliation":[{"name":"Texas A&M University, College Station, TX, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","reference":[{"key":"key-10.1145\/3178876.3186091-1","unstructured":"Alexa Top Sites. http:\/\/www.alexa.com\/top-sites."},{"key":"key-10.1145\/3178876.3186091-2","unstructured":"ComScore survey. http:\/\/www.smartinsights.com\/mobile-marketing\/ mobile-marketing-analytics\/mobile-marketing-statistics\/."},{"key":"key-10.1145\/3178876.3186091-3","unstructured":"Fortinet, Inc. http:\/\/www.fortinet.com."},{"key":"key-10.1145\/3178876.3186091-4","unstructured":"OWASP Secure Headers. https:\/\/www.owasp.org\/index.php\/List_of_useful_ HTTP_headers."},{"key":"key-10.1145\/3178876.3186091-5","unstructured":"Devdatta Akhawe, Adam Barth, Peifung E Lam, John Mitchell, and Dawn Song. 2010. Towards a formal foundation of web security. In Computer Security Foundations Symposium (CSF), 2010 23rd IEEE. IEEE, 290--304."},{"key":"key-10.1145\/3178876.3186091-6","unstructured":"Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). USENIX."},{"key":"key-10.1145\/3178876.3186091-7","unstructured":"Devdatta Akhawe, Warren He, Zhiwei Li, Reza Moazzezi, and Dawn Song. 2014. Clickjacking Revisited: A Perceptual View of UI Security. In 8th USENIX Workshop on Offensive Technologies (WOOT 14). USENIX Association, San Diego, CA. https:\/\/ www.usenix.org\/conference\/woot14\/workshop-program\/presentation\/akhawe"},{"key":"key-10.1145\/3178876.3186091-8","doi-asserted-by":"crossref","unstructured":"Adam Barth. 2011. The web origin concept. (2011).","DOI":"10.17487\/rfc6454"},{"key":"key-10.1145\/3178876.3186091-9","unstructured":"Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Security and Privacy, 2009 30th IEEE Symposium on. IEEE, 360--371."},{"key":"key-10.1145\/3178876.3186091-10","doi-asserted-by":"crossref","unstructured":"Adam Barth, Collin Jackson, and John C Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 75--88.","DOI":"10.1145\/1455770.1455782"},{"key":"key-10.1145\/3178876.3186091-11","unstructured":"Kyle Bowen and Matthew D Pistilli. 2012. Student preferences for mobile app usage. Research Bulletin)(Louisville, CO: EDUCAUSE Center for Applied Research, forthcoming), available from http:\/\/www. educause. edu\/ecar (2012)."},{"key":"key-10.1145\/3178876.3186091-12","doi-asserted-by":"crossref","unstructured":"Jianjun Chen, Jian Jiang, Haixin Duan, Nicholas Weaver, Tao Wan, and Vern Paxson. 2016. Host of Troubles: Multiple Host Ambiguities in HTTP Implementations. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA.","DOI":"10.1145\/2976749.2978394"},{"key":"key-10.1145\/3178876.3186091-13","doi-asserted-by":"crossref","unstructured":"Roy Fielding, Jim Gettys, Jeffrey Mogul, Henrik Frystyk, Larry Masinter, Paul Leach, and Tim Berners-Lee. 1999. Hypertext transfer protocol--HTTP\/1.1. Technical Report.","DOI":"10.17487\/rfc2616"},{"key":"key-10.1145\/3178876.3186091-14","unstructured":"Adonis PH Fung and KW Cheung. 2010. SSLock: sustaining the trust on entities brought by SSL. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. ACM."},{"key":"key-10.1145\/3178876.3186091-15","doi-asserted-by":"crossref","unstructured":"A. P. H. Fung and K. W. Cheung. 2010. HTTPSLock: Enforcing HTTPS in Unmodified Browsers with Cached Javascript. In Network and System Security (NSS), 2010 4th International Conference on.","DOI":"10.1109\/NSS.2010.84"},{"key":"key-10.1145\/3178876.3186091-16","unstructured":"Robert Hansen and Jeremiah Grossman. 2008. Clickjacking. Sec Theory, Internet Security (2008)."},{"key":"key-10.1145\/3178876.3186091-17","doi-asserted-by":"crossref","unstructured":"Jeff Hodges, Collin Jackson, and Adam Barth. 2012. Http strict transport security (hsts). URL: http:\/\/tools. ietf. org\/html\/draft-ietf-websec-strict-transport-sec-04 (2012).","DOI":"10.17487\/rfc6797"},{"key":"key-10.1145\/3178876.3186091-18","doi-asserted-by":"crossref","unstructured":"Collin Jackson and Adam Barth. 2008. Forcehttps: protecting high-security web sites from network attacks. In Proceedings of the 17th international conference on World Wide Web. ACM.","DOI":"10.1145\/1367497.1367569"},{"key":"key-10.1145\/3178876.3186091-19","doi-asserted-by":"crossref","unstructured":"Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th international conference on World Wide Web. ACM, 601--610.","DOI":"10.1145\/1242572.1242654"},{"key":"key-10.1145\/3178876.3186091-20","doi-asserted-by":"crossref","unstructured":"Michael Kranch and Joseph Bonneau. 2015. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning.. In NDSS.","DOI":"10.14722\/ndss.2015.23162"},{"key":"key-10.1145\/3178876.3186091-21","unstructured":"Sebastian Lekies, Ben Stock, Martin Wentzel, and Martin Johns. 2015. The unexpected dangers of dynamic javascript. In 24th USENIX Security Symposium (USENIX Security 15). 723--735."},{"key":"key-10.1145\/3178876.3186091-22","unstructured":"Gervase Markham. 2007. Content restrictions. Website, version 0.9 (2007)."},{"key":"key-10.1145\/3178876.3186091-23","unstructured":"Abner Mendoza, Kapil Singh, and Guofei Gu. 2015. What is wrecking your data plan? A measurement study of mobile web overhead. In Computer Communications (INFOCOM), 2015 IEEE Conference on. IEEE, 2740--2748."},{"key":"key-10.1145\/3178876.3186091-24","doi-asserted-by":"crossref","unstructured":"Christopher Olston and Marc Najork. 2010. Web crawling. Foundations and Trends in Information Retrieval 4, 3 (2010), 175--246.","DOI":"10.1561\/1500000017"},{"key":"key-10.1145\/3178876.3186091-25","unstructured":"Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson. 2010. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. IEEE Oakland Web 2 (2010), 6."},{"key":"key-10.1145\/3178876.3186091-26","unstructured":"Stuart E Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. 2007. The emperor's new security indicators. In Security and Privacy, 2007. SP'07. IEEE Symposium on. IEEE, 51--65."},{"key":"key-10.1145\/3178876.3186091-27","unstructured":"David Silver, Suman Jana, Dan Boneh, Eric Chen, and Collin Jackson. 2014. Password Managers: Attacks and Defenses. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 449--464. https:\/\/www. usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/silver"},{"key":"key-10.1145\/3178876.3186091-28","doi-asserted-by":"crossref","unstructured":"Kapil Singh, Alexander Moshchuk, Helen J Wang, and Wenke Lee. 2010. On the incoherencies in web browser access control policies. In 2010 IEEE Symposium on Security and Privacy. IEEE, 463--478.","DOI":"10.1109\/SP.2010.35"},{"key":"key-10.1145\/3178876.3186091-29","doi-asserted-by":"crossref","unstructured":"Suphannee Sivakorn, Angelos D Keromytis, and Jason Polakis. 2016. That's the Way the Cookie Crumbles: Evaluating HTTPS Enforcing Mechanisms. In Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society. ACM, 71--81.","DOI":"10.1145\/2994620.2994638"},{"key":"key-10.1145\/3178876.3186091-30","doi-asserted-by":"crossref","unstructured":"Suphannee Sivakorn, Iasonas Polakis, and Angelos D Keromytis. 2016. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In 2016 IEEE Symposium on Security and Privacy. IEEE.","DOI":"10.1109\/SP.2016.49"},{"key":"key-10.1145\/3178876.3186091-31","doi-asserted-by":"crossref","unstructured":"Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web. ACM, 921--930.","DOI":"10.1145\/1772690.1772784"},{"key":"key-10.1145\/3178876.3186091-32","unstructured":"Anne Van Kesteren and others. 2010. Cross-origin resource sharing. W3C Working Draft WD-cors-20100727 (2010)."},{"key":"key-10.1145\/3178876.3186091-33","doi-asserted-by":"crossref","unstructured":"Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. 2016. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. In Proceedings of the 23rd ACM Conference on Computer and Communications Security. Vienna, Austria.","DOI":"10.1145\/2976749.2978363"},{"key":"key-10.1145\/3178876.3186091-34","unstructured":"Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan, and Nicholas Weaver. 2015. Cookies Lack Integrity: Real-World Implications. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C."}],"event":{"name":"the 2018 World Wide Web Conference","location":"Lyon, France","acronym":"WWW '18","number":"2018","sponsor":["SIGWEB, ACM Special Interest Group on Hypertext, Hypermedia, and Web","IW3C2, International World Wide Web Conference Committee"],"start":{"date-parts":[[2018,4,23]]},"end":{"date-parts":[[2018,4,27]]}},"container-title":["Proceedings of the 2018 World Wide Web Conference on World Wide Web - WWW '18"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3178876.3186091","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/dl.acm.org\/ft_gateway.cfm?id=3186091&ftid=1957510&dwn=1","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:11:28Z","timestamp":1750212688000},"score":1,"resource":{"primary":{"URL":"http:\/\/dl.acm.org\/citation.cfm?doid=3178876.3186091"}},"subtitle":[],"proceedings-subject":"World Wide Web","short-title":[],"issued":{"date-parts":[[2018]]},"references-count":34,"URL":"https:\/\/doi.org\/10.1145\/3178876.3186091","relation":{},"subject":[],"published":{"date-parts":[[2018]]}}}