To date, much of the development in Web-related technologies has been driven by the users’ quest for ever faster and more intuitive WWW. One of the most recent trends in this development is built around the idea that a user’s WWW experience can further be improved by predicting and/or preloading Web resources that are likely sought by the user, ahead of time. Resource hints is a set of features introduced in HTML5 and intended to support the idea of predictive preloading in the WWW. Inspite of the fact that resource hints were originally intended to enhance the online user experience, their introduction has unfortunately created a vulnerability that can be exploited to attack the user’s privacy, security and reputation, or to turn the user’s computer into a bot that can compromise the integrity of business analytics. In this article we outline six different scenarios (i.e., attacks) in which the resource hints could end up turning the browser into a dangerous tool that acts without the knowledge of and/or against its very own user. What makes these attacks particularly concerning is the fact that they are extremely easy to execute, and they do not require that any form of client-side malware be implanted on the user machine. While one of the attacks is (just) a new form of the well-known cross-site request forgery attacks, the other attacks have not been addressed much or at all in the research literature. Through this work, we ultimate hope to make the wider Internet community critically rethink the way the resource hints are implemented and used in today’sWWW.
Rethinking the Use of Resource Hints in HTML5: Is Faster Always Better!?