Inducing Amnesia in Browsers: the Clear Site Data Header

Caleb Queern, Cyber Security Servicies Director, KPMG twitter, linkedin
abstract slides video

The new Clear-Site-Data HTTP header allows a website to tell a user’s browser to clear various browsing data (cookies, storage, cache, executionContexts) associated with the website.

This enables websites to have more fine-grained control over the data its users store in their browser. This can be used to ensure that certain sensitive info is not persistently stored, to wipe traces of having visited the site (for example, users living under a regime visiting an “unapproved” site), or for a site affected by a persistent XSS vulnerability to reset users to a “clean” state.

From an offensive point of view, the Clear-Site-Data header could be used to:

1. Wipe traces of a user having visited a malicious site (e.g. drive-by-download malware), making incident response more difficult.

2. Flush cookies in competing subdomains, making session fixation attacks easier.

   • e.g. Attacker sends a Clear-Site-Data header to erase cookies (or cache, localStorage, …) from foo.example.com for example.com, affecting bar.example.com.