In the modern Web, security headers are of the utmost importance for websites to provide protection against various attacks, such as Cross-Site Scripting, Clickjacking, and Cross-Site Leaks. As each security header uses a different syntax and has unique processing rules, correctly implementing them is a complex task for both browser and website developers. Inconsistency in browser behavior related to security headers harms websites as their security depends on their users' browsers. At the same time, compatibility issues may deter developers from deploying such headers in the first place. In this work, we performed a differential evaluation of the security header parsing and enforcement behavior in desktop and mobile browsers to uncover problematic browser differences. We systematically ran 177,146 tests covering 16 security-relevant headers multiple times in 16 browser configurations covering over 97% of the browser engine market share. We identified 5,606 (3.16%) tests that behave inconsistently across browsers. Our subsequent analysis revealed 42 root causes, highlighting the prevalence of implementation issues. 31 of these root causes were yet unknown and resulted in 36 bug reports against the affected browsers and specifications. Many of our reports have already resulted in fixes improving web consistency and users' security. To foster open science and enable browser vendors to continuously test their security header implementations, we open-source our test framework.
ACM Conference on Computer and Communications Security (CCS)
2025-10-13
2025-10-01