{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T07:00:28Z","timestamp":1782889228402,"version":"3.54.5"},"publisher-location":"New York, NY, USA","reference-count":76,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,6,30]],"date-time":"2026-06-30T00:00:00Z","timestamp":1782777600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,6,30]]},"DOI":"10.1145\/3805773.3805993","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T05:20:41Z","timestamp":1782883241000},"page":"14-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Origin Story: A Comprehensive Lifecycle Analysis of Same-Origin Policy Bugs"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-6596-3817","authenticated-orcid":false,"given":"Jakub","family":"Szymsza","sequence":"first","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4859-8027","authenticated-orcid":false,"given":"Gertjan","family":"Franken","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6142-8057","authenticated-orcid":false,"given":"Vik","family":"Vanderlinden","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6846-9081","authenticated-orcid":false,"given":"Tom","family":"Van Goethem","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8971-9470","authenticated-orcid":false,"given":"Mathy","family":"Vanhoef","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5155-7472","authenticated-orcid":false,"given":"Lieven","family":"Desmet","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,6,30]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"crossref","unstructured":"Adam Barth. 2011. HTTP State Management Mechanism. https:\/\/datatracker.ie tf.org\/doc\/html\/rfc6265","DOI":"10.17487\/rfc6265"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"crossref","unstructured":"Adam Barth. 2011. The Web Origin Concept. https:\/\/datatracker.ietf.org\/doc\/h tml\/rfc6454","DOI":"10.17487\/rfc6454"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"key":"e_1_3_2_1_4_1","first-page":"757","volume-title":"Web Platform Threats: Automated Detection of Web Security Issues With WPT. In 33rd USENIX Security Symposium (USENIX Security 24)","author":"Bernardo Pedro","year":"2024","unstructured":"Pedro Bernardo, Lorenzo Veronese, Valentino Dalla Valle, Stefano Calzavara, Marco Squarcina, Pedro Ad\u00e3o, and Matteo Maffei. 2024. Web Platform Threats: Automated Detection of Web Security Issues With WPT. In 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, Philadelphia, PA, 757-774. https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/bernardo"},{"key":"e_1_3_2_1_5_1","unstructured":"Frederik Braun. 2012. Origin policy enforcement in modern browsers. Ph. D. Dissertation. Ruhr-Universit\u00e4t Bochum."},{"key":"e_1_3_2_1_6_1","first-page":"1079","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Chen Jianjun","year":"2018","unstructured":"Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. 2018. We Still Don't Have Secure Cross-Domain Requests: an Empirical Study of CORS. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 1079-1093. https:\/\/www.usenix.org\/conference\/us enixsecurity18\/presentation\/chen-jianjun"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.231086"},{"key":"e_1_3_2_1_8_1","unstructured":"Chrome DevTools Protocol. [n. d.]."},{"key":"e_1_3_2_1_9_1","unstructured":"Chrome DevTools Protocol. https:\/\/chrome devtools.github.io\/devtools-protocol\/"},{"key":"e_1_3_2_1_10_1","unstructured":"Chromium contributors. 2013. Cross-Origin copy & paste \/ drag & drop allowing XSS (again this time srcdoc). https:\/\/issues.chromium.org\/issues\/40076853"},{"key":"e_1_3_2_1_11_1","unstructured":"Chromium contributors. 2014. Security: file-to-file SOP bypass on Linux via \/proc\/self\/fd\/. https:\/\/issues.chromium.org\/issues\/40080769"},{"key":"e_1_3_2_1_12_1","unstructured":"Chromium contributors. 2014. Security: __lookupGetter__ and __lookupSetter__ can be used to leak all cross-origin data. https:\/\/issues.chromium.org\/issues\/400 80211"},{"key":"e_1_3_2_1_13_1","unstructured":"Chromium contributors. 2015. Insufficient fix for Cross-Origin (Partial) Status Code leak (XS-Leak). https:\/\/issues.chromium.org\/issues\/40062152"},{"key":"e_1_3_2_1_14_1","unstructured":"Chromium contributors. 2015. Origin header preserved for cross-origin redirects with 307 status code should be null. https:\/\/issues.chromium.org\/issues\/40081583"},{"key":"e_1_3_2_1_15_1","unstructured":"Chromium contributors. 2015. [Resource Timing] should not include no-cors cross-origin stylesheet subresources. https:\/\/issues.chromium.org\/issues\/40082 867"},{"key":"e_1_3_2_1_16_1","unstructured":"Chromium contributors. 2016. Security: bypassing CORS by returning 308 for revalidating request for Resource previously without redirects from MemoryCache. https:\/\/issues.chromium.org\/issues\/40084396"},{"key":"e_1_3_2_1_17_1","unstructured":"Chromium contributors. 2017. Cross-origin Shared Worker. https:\/\/issues.chr omium.org\/issues\/40089653"},{"key":"e_1_3_2_1_18_1","unstructured":"Chromium contributors. 2018. Cross-origin download bypasses SameSite cookie. https:\/\/issues.chromium.org\/issues\/40091708"},{"key":"e_1_3_2_1_19_1","volume-title":"Security: CORB allows for cross-origin leaks on social networks. https:\/\/issues.chromium.org\/issues\/40093907","author":"Chromium","year":"2019","unstructured":"Chromium contributors. 2019. Security: CORB allows for cross-origin leaks on social networks. https:\/\/issues.chromium.org\/issues\/40093907"},{"key":"e_1_3_2_1_20_1","unstructured":"Chromium contributors. 2020. navigator.sendBeacon doesn't make CORS preflight request. https:\/\/issues.chromium.org\/issues\/40051484"},{"key":"e_1_3_2_1_21_1","unstructured":"Chromium contributors. 2020. Security: sendBeacon allows sending arbitrary POST requests with application\/octet-stream content type without CORS. https: \/\/issues.chromium.org\/issues\/40051486"},{"key":"e_1_3_2_1_22_1","volume-title":"Security: Cross-Origin Response Size Leak Via BackgroundFetch. https:\/\/issues.chromium.org\/issues\/40057097","author":"Chromium","year":"2021","unstructured":"Chromium contributors. 2021. Security: Cross-Origin Response Size Leak Via BackgroundFetch. https:\/\/issues.chromium.org\/issues\/40057097"},{"key":"e_1_3_2_1_23_1","unstructured":"Chromium contributors. 2024. Cross-origin leak: GC activity and navigation info using the MessagePort.close event. https:\/\/issues.chromium.org\/issues\/3236959 87"},{"key":"e_1_3_2_1_24_1","unstructured":"Chromium contributors. 2025. MediaError message property leaks cross-origin same-site response status. https:\/\/issues.chromium.org\/issues\/416685988."},{"key":"e_1_3_2_1_25_1","unstructured":"Chromium Docs. [n. d.]."},{"key":"e_1_3_2_1_26_1","unstructured":"DistriNet. [n. d.]. BugHog. https:\/\/github.com\/DistriNet\/BugHog."},{"key":"e_1_3_2_1_27_1","unstructured":"Firefox Contributors. [n. d.]."},{"key":"e_1_3_2_1_28_1","unstructured":"Fixing Security Bugs -Firefox Source Docs. https: \/\/firef ox-source-docs.mozilla.org\/bug-mgmt\/processes\/f ixing-securitybugs.html"},{"key":"e_1_3_2_1_29_1","unstructured":"Firefox contributors. 2015. Resource timing violate SOP for \"no-cors\" CSS. https: \/\/bugzilla.mozilla.org\/show_bug.cgi?id=1180145"},{"key":"e_1_3_2_1_30_1","unstructured":"Firefox contributors. 2021. Guessing the URL a cross-origin iframe was redirected to by listening and counting the number of load events. https:\/\/bugzilla.mozilla .org\/show_bug.cgi?id=1741034"},{"key":"e_1_3_2_1_31_1","unstructured":"Firefox contributors. 2021. MediaError message property leaks information on cross-origin same-site pages. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=173 1614"},{"key":"e_1_3_2_1_32_1","unstructured":"Firefox contributors. 2023. Top level Cross Origin Domain Redirection Bypass. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1814879"},{"key":"e_1_3_2_1_33_1","unstructured":"Firefox Contributors. 2025. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=19654 30"},{"key":"e_1_3_2_1_34_1","unstructured":"Firefox Contributors. 2025. Script element load vs error event leaks cross-origin resource status (ORB crbug\/40093907). https:\/\/bugzilla.mozilla.org\/show_bug.cg i?id=1965628"},{"key":"e_1_3_2_1_35_1","volume-title":"JavaScript: The Definitive Guide","author":"Flanagan David","unstructured":"David Flanagan. 1997. JavaScript: The Definitive Guide (2nd ed.). O'Reilly Media. 317 pages. https:\/\/archive.org\/details\/javascriptdefin000flan","edition":"2"},{"key":"e_1_3_2_1_36_1","first-page":"3673","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Franken Gertjan","year":"2023","unstructured":"Gertjan Franken, Tom Van Goethem, Lieven Desmet, and Wouter Joosen. 2023. A Bug's Life: Analyzing the Lifecycle and Mitigation Process of Content Security Policy Bugs. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 3673-3690. https:\/\/www.usenix.org\/conference\/us enixsecurity23\/presentation\/franken"},{"key":"e_1_3_2_1_37_1","first-page":"151","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Franken Gertjan","year":"2018","unstructured":"Gertjan Franken, Tom Van Goethem, and Wouter Joosen. 2018. Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/franken. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 151-168."},{"key":"e_1_3_2_1_38_1","unstructured":"Scott Helme. 2021. COEP COOP CORP CORS CORB -CRAP that's a lot of new stuff! https:\/\/scotthelme.co.uk\/coop-and-coep\/"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2771783.2771789"},{"key":"e_1_3_2_1_40_1","unstructured":"Maksim Sadym James Graham Alex Rudenko. 2026. WebDriver BiDi. https: \/\/www.w3.org\/TR\/webdriver-bidi\/"},{"key":"e_1_3_2_1_41_1","first-page":"621","volume-title":"Eradicating DNS Rebinding with the Extended Same-origin Policy. In 22nd USENIX Security Symposium (USENIX Security 13)","author":"Johns Martin","year":"2013","unstructured":"Martin Johns, Sebastian Lekies, and Ben Stock. 2013. Eradicating DNS Rebinding with the Extended Same-origin Policy. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., 621-636. https: \/\/www.usenix.org\/conference\/usenixsecurity13\/technical-sessions\/presentatio n\/johns"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315254"},{"key":"e_1_3_2_1_43_1","unstructured":"Eiji Kitamura. 2020. Making your website \"cross-origin isolated\" using COOP and COEP. https:\/\/web.dev\/articles\/coop-coep"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484739"},{"key":"e_1_3_2_1_45_1","volume-title":"Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19)","author":"Kocher Paul","year":"2019","unstructured":"Paul Kocher, Jann Horn, Anders Fogh, , Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19)."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.241491"},{"key":"e_1_3_2_1_47_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Lipp Moritz","year":"2018","unstructured":"Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18)."},{"key":"e_1_3_2_1_48_1","first-page":"811","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Liu Peiyu","year":"2024","unstructured":"Peiyu Liu, Junming Liu, Lirong Fu, Kangjie Lu, Yifan Xia, Xuhong Zhang, Wenzhi Chen, Haiqin Weng, Shouling Ji, and Wenhai Wang. 2024. Exploring ChatGPT's Capabilities on Vulnerability Management. In 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, Philadelphia, PA, 811-828. https: \/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/liu-peiyu"},{"key":"e_1_3_2_1_49_1","unstructured":"Antonio Sartori Mike West. 2025. Content Security Policy Level 3. https: \/\/www.w3.org\/TR\/CSP3\/"},{"key":"e_1_3_2_1_50_1","unstructured":"Mozilla Developer Network. [n. d.]."},{"key":"e_1_3_2_1_51_1","unstructured":"Cross-site request forgery (CSRF). https: \/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Attacks\/CSRF"},{"key":"e_1_3_2_1_52_1","unstructured":"Mozilla Developer Network. 2025. Same-origin policy. https:\/\/developer.mozilla. org\/en-US\/docs\/Web\/Security\/Defenses\/Same-origin_policy"},{"key":"e_1_3_2_1_53_1","unstructured":"Mozilla Developer Network. 2026. User activation. https:\/\/developer.mozilla.or g\/en-US\/docs\/Web\/Security\/Defenses\/User_activation"},{"key":"e_1_3_2_1_54_1","unstructured":"Netscape. 2002. Netscape 3.0 Handbook. https:\/\/web.archive.org\/web\/20020808 153106\/http:\/\/wp.netscape.com:80\/eng\/mozilla\/3.0\/handbook\/javascript\/advto pic.htm#1009533"},{"key":"e_1_3_2_1_55_1","unstructured":"Mozilla Developer Network. 2025. Firefox 20 release notes for developers. https: \/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Firefox\/Releases\/20"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616598"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3719027.3765119"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.39"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2011.226"},{"key":"e_1_3_2_1_61_1","first-page":"713","volume-title":"Same-Origin Policy: Evaluation in Modern Browsers. In 26th USENIX Security Symposium (USENIX Security 17)","author":"Schwenk J\u00f6rg","year":"2017","unstructured":"J\u00f6rg Schwenk, Marcus Niemietz, and Christian Mainka. 2017. Same-Origin Policy: Evaluation in Modern Browsers. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 713-727. https:\/\/www.usenix .org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/schwenk"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.35"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038912.3052634"},{"key":"e_1_3_2_1_64_1","first-page":"5539","volume-title":"Cookie Crumbles: Breaking and Fixing Web Session Integrity. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Squarcina Marco","year":"2023","unstructured":"Marco Squarcina, Pedro Ad\u00e3o, Lorenzo Veronese, and Matteo Maffei. 2023. Cookie Crumbles: Breaking and Fixing Web Session Integrity. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 5539-5556. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/squarcina"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772784"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3567985"},{"key":"e_1_3_2_1_67_1","unstructured":"Chromium Development Calendar and Release Info. https:\/\/www.chromium.org\/developers\/calendar\/"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3517416"},{"key":"e_1_3_2_1_69_1","unstructured":"Anne van Kesteren. 2022. Opaque Response Blocking (ORB aka CORB++). https:\/\/github.com\/annevk\/orb"},{"key":"e_1_3_2_1_70_1","unstructured":"W3C. 2010. Same Origin Policy. https:\/\/www.w3.org\/Security\/wiki\/Same_Orig in_Policy"},{"key":"e_1_3_2_1_71_1","unstructured":"W3C. 2014. Cross-Origin Resource Sharing. https:\/\/www.w3.org\/TR\/2020\/SPSD- cors-20200602\/"},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978363"},{"key":"e_1_3_2_1_73_1","unstructured":"WHATWG. 2026. Fetch. https:\/\/fetch.spec.whatwg.org\/"},{"key":"e_1_3_2_1_74_1","unstructured":"WHATWG. 2026. HTML. https:\/\/html.spec.whatwg.org\/"},{"key":"e_1_3_2_1_75_1","volume-title":"Jiwhan Kim, Ben Stock, and Sooel Son.","author":"Wi Seongil","year":"2023","unstructured":"Seongil Wi, Trung Tin Nguyen, Jiwhan Kim, Ben Stock, and Sooel Son. 2023. DiffCSP: Finding Browser Bugs in Content Security Policy Enforcement through Differential Testing, In NDSS. NDSS. https:\/\/publications.cispa.saarland\/3891\/"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/3769676"}],"event":{"name":"SecDev '26: 2026 ACM Secure Development Conference","location":"Montreal QC Canada","acronym":"SecDev '26","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 2026 ACM Secure Development Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3805773.3805993","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T05:24:04Z","timestamp":1782883444000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3805773.3805993"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6,30]]},"references-count":76,"alternative-id":["10.1145\/3805773.3805993","10.1145\/3805773"],"URL":"https:\/\/doi.org\/10.1145\/3805773.3805993","relation":{},"subject":[],"published":{"date-parts":[[2026,6,30]]},"assertion":[{"value":"2026-06-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}