Proceedings of the tenth ACM SIGPLAN international conference on Functional programming
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
JavaScript: The Definitive Guide
JavaScript: The Definitive Guide
BrowserShield: Vulnerability-driven filtering of dynamic HTML
ACM Transactions on the Web (TWEB)
Securing frame communication in browsers
SS'08 Proceedings of the 17th conference on Security symposium
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
DBPL'05 Proceedings of the 10th international conference on Database Programming Languages
Towards a type system for analyzing javascript programs
ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
Towards type inference for javascript
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
An analysis of the dynamic behavior of JavaScript programs
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
The case for JavaScript transactions: position paper
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
ECOOP'10 Proceedings of the 24th European conference on Object-oriented programming
Saving the world wide web from vulnerable JavaScript
Proceedings of the 2011 International Symposium on Software Testing and Analysis
A heuristic approach for computing effects
TOOLS'11 Proceedings of the 49th international conference on Objects, models, components, patterns
ADsafety: type-based verification of JavaScript Sandboxing
SEC'11 Proceedings of the 20th USENIX conference on Security
The eval that men do: A large-scale study of the use of eval in javascript applications
Proceedings of the 25th European conference on Object-oriented programming
Towards a program logic for JavaScript
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Access permission contracts for scripting languages
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Limiting information leakage in event-based communication
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
A two-tier sandbox architecture for untrusted JavaScript
Proceedings of the Workshop on JavaScript Tools
Safe wrappers and sane policies for self protecting javascript
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
TreeHouse: JavaScript sandboxes to helpWeb developers help themselves
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Secure multi-execution through static program transformation
FMOODS'12/FORTE'12 Proceedings of the 14th joint IFIP WG 6.1 international conference and Proceedings of the 32nd IFIP WG 6.1 international conference on Formal Techniques for Distributed Systems
Enhancing javascript with transactions
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Eval begone!: semi-automated removal of eval from javascript programs
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
Securing web-clients with instrumented code and dynamic runtime monitoring
Journal of Systems and Software
Practical blended taint analysis for JavaScript
Proceedings of the 2013 International Symposium on Software Testing and Analysis
All about the with statement in JavaScript: removing with statements in JavaScript applications
Proceedings of the 9th symposium on Dynamic languages
Flexible access control for javascript
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
Language-based defenses against untrusted browser origins
SEC'13 Proceedings of the 22nd USENIX conference on Security
A trusted mechanised JavaScript specification
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
| Hi-index | 0.00 |
We study methods that allow web sites to safely combine JavaScript from untrusted sources. If implemented properly, filters can prevent dangerous code from loading into the execution environment, while rewriting allows greater expressiveness by inserting run-time checks. Wrapping properties of the execution environment can prevent misuse without requiring changes to imported JavaScript. Using a formal semantics for the ECMA 262-3 standard language, we prove security properties of a subset of JavaScript, comparable in expressiveness to Facebook FBJS, obtained by combining three isolation mechanisms. The isolation guarantees of the three mechanisms are interdependent, with rewriting and wrapper functions relying on the absence of JavaScript constructs eliminated by language filters.