Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange
Pinji Chen
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Web Exploitation
The talk "Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange," presented by Pinji Chen from Chinuan University, unveils a critical reinterpretation of web security's foundational Same-Origin Policy (SOP). The research demonstrates how modern web protocols, specifically **HTTP/2 Server Push** and **Signed HTTP Exchange (SXG)**, inadvertently broaden the definition of an "origin" from the traditional URI-based approach to a more permissive Subject Alternative Name (SAN)-based model. This shift fundamentally undermines the SOP, creating novel attack vectors that allow malicious actors to bypass established security boundaries.
AI review
Solid, original web security research that identifies a genuine architectural flaw: the SAN-based origin relaxation in HTTP/2 Server Push and SXG quietly punches a hole through SOP in a way that enables practical off-path attacks. The 796-day persistence angle and the irrevocability finding are the sharpest contributions — not just 'here's a new attack' but 'here's why you can't clean it up.'