Object capabilities and isolation of untrusted web applications

Abstract

A growing number of current web sites combine active content (applications) from untrusted sources, as in so-called mashups. The object- capability model provides an appealing approach for isolating untrusted con- tent: if separate applications are provided disjoint capabilities, a sound object- capability framework should prevent untrusted applications from interfering with each other, without preventing interaction with the user or the hosting page. In developing language-based foundations for isolation proofs based on object-capability concepts, we identify a more general notion of author- ity safety that also implies resource isolation. After proving that capability safety implies authority safety, we show the applicability of our framework for a speci c class of mashups. In addition to proving that a JavaScript sub- set based on Google Caja is capability safe, we prove that a more expressive subset of JavaScript is authority safe, even though it is not based on the object-capability model.