Alloy model for Cross Origin Request Policy (CORP)

Abstract

This document describes the formal model for Cross Origin Request Policy (CORP), a new browser security policy proposed for enhancing the security of the web platform. CORP aims to defend against several Cross Origin Request Attacks (CORA) such as CSRF, Clickjacking, Web application timing etc. CORP is configured by website administrators and sent as an HTTP response header to the browser. A browser which is CORP-enabled will interpret the policy and enforce it on all cross origin HTTP requests originating from other tabs of the browser, thus preventing malicious cross origin requests. Alloy , a finite state model finder, is used to formalize CORP and verify its soundness.