Cookies provide a state management mechanism for the web and are often used for authentication, storing a user's session ID, and replacing their credentials in subsequent requests. These ``session cookies'' are valuable targets of attacks such as Session Hijacking and Fixation that attempt to steal them and gain unauthorized access to user accounts. Multiple controls such as the Secure and HttpOnly cookie attributes restrict cookie accessibility, effectively mitigating attacks from the network or malicious websites, but often ignoring untrusted extensions within the user's browser. Extensions are third-party HTML/JavaScript add-ons with access to several privileged APIs and can run on multiple websites at once. Unfortunately, this can provide malicious/compromised extensions with unrestricted access to session cookies. In this work, we first conduct a study assessing the prevalence of extensions with these ``risky'' APIs (i.e., those enabling cookie modification and theft) and find that they are currently used by hundreds of millions of users. Motivated by this, we propose browser controls based on two new cookie attributes that protect cookies from malicious extensions: BrowserOnly and Tracked. The BrowserOnly attribute prevents accessing cookies from extensions altogether. While effective, not all cookies can be inaccessible. Cookies with the Tracked attribute remain accessible, are tied to a single browser, and record any modifications made by extensions. Thus, stolen Tracked cookies become unusable outside their original browser and servers can verify any modifications. To demonstrate these features' practicality, we implement CREAM (Cookie Restrictions for Extension Abuse Mitigation): a modified version of Chromium realizing these controls. Our evaluation indicates that CREAM controls effectively protect cookies from malicious extensions while incurring small run-time overheads.

翻译：Cookie为网络提供状态管理机制，常用于身份认证，存储用户会话ID并在后续请求中替代其凭据。这些“会话Cookie”是会话劫持和固定攻击等试图窃取用户账户并获取未授权访问的重要目标。Secure和HttpOnly等Cookie属性可限制Cookie的可访问性，有效缓解来自网络或恶意网站的威胁，但往往忽略浏览器内部不可信扩展的潜在风险。扩展作为第三方HTML/JavaScript附加组件，可访问多种特权API并同时在多个网站上运行。不幸的是，这可能导致恶意或被攻破的扩展无限制地访问会话Cookie。本研究首先评估了具备“高风险”API（即支持Cookie修改和窃取的API）的扩展普及程度，发现目前已有数亿用户使用此类扩展。基于此发现，我们提出基于两种新型Cookie属性的浏览器控制机制：BrowserOnly和Tracked，以保护Cookie免受恶意扩展侵害。BrowserOnly属性阻止扩展访问任何Cookie。虽然有效，但并非所有Cookie都必须完全不可访问。具有Tracked属性的Cookie保持可访问性，与单一浏览器绑定，并记录扩展所做的任何修改。因此，被盗取的Tracked Cookie在其原始浏览器之外无法使用，服务器也可验证所有修改。为验证这些功能的实用性，我们实现了CREAM（Cookie限制扩展滥用缓解机制）：一个实现上述控制的Chromium修改版本。评估表明，CREAM控制机制能有效保护Cookie免受恶意扩展侵害，同时仅引入轻微的运行时开销。