The Security Lottery: Measuring Client-Side Web Security Inconsistencies


Sebastian Roth, CISPA Helmholtz Center for Information Security; Stefano Calzavara, Università Ca' Foscari Venezia; Moritz Wilhelm, CISPA Helmholtz Center for Information Security; Alvise Rabitti, Università Ca' Foscari Venezia; Ben Stock, CISPA Helmholtz Center for Information Security


To mitigate a myriad of Web attacks, modern browsers support client-side security policies shipped through HTTP response headers. To enforce these defenses, the server needs to communicate them to the client, a seemingly straightforward process. However, users may access the same site in variegate ways, e.g., using different User-Agents, network access methods, or language settings. All these usage scenarios should enforce the same security policies, otherwise a security lottery would take place: depending on specific client characteristics, different levels of Web application security would be provided to users (inconsistencies). We formalize security guarantees provided through four popular mechanisms and apply this to measure the prevalence of inconsistencies in the security policies of top sites across different client characteristics. Based on our insights, we investigate the security implications of both deterministic and non-deterministic inconsistencies, and show how even prominent services are affected by them.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {281452,
author = {Sebastian Roth and Stefano Calzavara and Moritz Wilhelm and Alvise Rabitti and Ben Stock},
title = {The Security Lottery: Measuring {Client-Side} Web Security Inconsistencies},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
isbn = {978-1-939133-31-1},
address = {Boston, MA},
pages = {2047--2064},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video