Language-based isolation of untrusted JavaScript
File(s)DTR09-3.pdf (483.33 KB)
Published version
Author(s)
Maffeis, Sergio
Mitchell, John C
Taly, Ankur
Type
Report
Abstract
Web sites that incorporate untrusted content may use browser- or
language-based methods to keep such content from maliciously altering pages,
stealing sensitive information, or causing other harm. We study languagebased
methods for ltering and rewriting JavaScript code, using Yahoo! ADSafe
and Facebook FBJS as motivating examples. We explain the core problems
by describing previously unknown vulnerabilities and subtleties, and
develop a foundation for improved solutions based on an operational semantics
of the full ECMA-262 language.We also discuss how to apply our analysis
to address the JavaScript isolation problems we discovered.
language-based methods to keep such content from maliciously altering pages,
stealing sensitive information, or causing other harm. We study languagebased
methods for ltering and rewriting JavaScript code, using Yahoo! ADSafe
and Facebook FBJS as motivating examples. We explain the core problems
by describing previously unknown vulnerabilities and subtleties, and
develop a foundation for improved solutions based on an operational semantics
of the full ECMA-262 language.We also discuss how to apply our analysis
to address the JavaScript isolation problems we discovered.
Date Issued
2009-01-01
Citation
Departmental Technical Report: 09/3, 2009, pp.1-36
Publisher
Department of Computing, Imperial College London
Start Page
1
End Page
36
Journal / Book Title
Departmental Technical Report: 09/3
Copyright Statement
© 2009 The Author(s). This report is available open access under a CC-BY-NC-ND (https://creativecommons.org/licenses/by-nc-nd/4.0/)
Publication Status
Published
Article Number
09/3