ESOP'92 Symposium proceedings on 4th European symposium on programming
ACM Computing Surveys (CSUR) - Special issue: position statements on strategic directions in computing research
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Robust composition: towards a unified approach to access control and concurrency control
Robust composition: towards a unified approach to access control and concurrency control
Relationally-parametric polymorphic contracts
Proceedings of the 2007 symposium on Dynamic languages
MashupOS: operating system abstractions for client mashups
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
End-to-end web application security
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Delegating responsibility in digital systems: Horton's "who done it?"
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Secure Web Browsing with the OP Web Browser
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
OMash: enabling secure web mashups via object abstractions
Proceedings of the 15th ACM conference on Computer and communications security
AOJS: aspect-oriented javascript programming framework for web development
Proceedings of the 8th workshop on Aspects, components, and patterns for infrastructure software
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Virtual values for language extension
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
A two-tier sandbox architecture for untrusted JavaScript
Proceedings of the Workshop on JavaScript Tools
Security of web mashups: a survey
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Safe wrappers and sane policies for self protecting javascript
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
TreeHouse: JavaScript sandboxes to helpWeb developers help themselves
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Jigsaw: efficient, low-effort mashup isolation
WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
Enhancing javascript with transactions
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Securing web-clients with instrumented code and dynamic runtime monitoring
Journal of Systems and Software
Language-based defenses against untrusted browser origins
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Browsers do not currently support the secure sharing of JavaScript objects between principals. We present this problem as the need for object views, which are consistent and controllable versions of objects. Multiple views can be made for the same object and customized for the recipients. We implement object views with a JavaScript library that wraps shared objects and interposes on all access attempts. The security challenge is to fully mediate access to objects shared through a view and prevent privilege escalation. We discuss how object views can be deployed in two settings: same-origin sharing with rewriting-based JavaScript isolation systems like Google Caja, and inter-origin sharing between browser frames over a message-passing channel. To facilitate simple document sharing, we build a policy system for declaratively defining policies for document object views. Notably, our document policy system makes it possible to hide elements without breaking document structure invariants. Developers can control the fine-grained behavior of object views with an aspect system that accepts programmatic policies.