Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although facilitating important usability advances, they also opened the door to cross-site attacks and third-party tracking. Various countermeasures have been developed as a reaction to these threats, such as built-in browser policies and extensions that block undesirable requests and cookies.
However, these countermeasures are rarely questioned on their effectiveness. Motivated by this, we developed a framework to evaluate these countermeasures in an automated manner, spanning 8 browsers, and 46 ad blockers and privacy extensions. Unfortunately, our comprehensive evaluation uncovered that virtually every policy can be bypassed.
In this talk, we explore various interesting bypasses to built-in browser policies and extensions. Furthermore, we argue that our framework is a much-needed tool for evaluating browser policies. We illustrate that our framework can be expanded to evaluate other policy implementations such as Content Security Policy and private browsing mode.