These Aren’t the Links You’re Looking For A Security Policy for Web Navigation

Abstract

The workings of the World Wide Web (WWW) has a history of security problems with a root cause that is hard to fix. Cross-Site Scripting (XSS) and other types of injection attacks can be mitigated to some extent, but for regular Hypertext Markup Language (HTML) and web navigation no mitigation or detection mechanism exist. In the work, attacks to introduce navigation unwanted by the web application are shown together with the current state of the art defences. In the evaluation of defences, it is found that no mechanism has the ability to defend the web application from the injected web navigation. As a solution to this problem the Navigational Security Policy (NSP) is introduced. The NSP is an easy to understand schema enabling web developers to define the set of legal destinations originating from a web application. The NSP is shown to work as expected through the implementation, and an evaluation, of a proof of concept.