Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Robust composition: towards a unified approach to access control and concurrency control
Robust composition: towards a unified approach to access control and concurrency control
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Language-Based Isolation of Untrusted JavaScript
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
Noninterference through Secure Multi-execution
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Object Capabilities and Isolation of Untrusted Web Applications
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Proxies: design principles for robust object-oriented intercession APIs
Proceedings of the 6th symposium on Dynamic languages
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Contego: capability-based access control for web browsers
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
ADsafety: type-based verification of JavaScript Sandboxing
SEC'11 Proceedings of the 20th USENIX conference on Security
WebJail: least-privilege integration of third-party components in web mashups
Proceedings of the 27th Annual Computer Security Applications Conference
A two-tier sandbox architecture for untrusted JavaScript
Proceedings of the Workshop on JavaScript Tools
Security of web mashups: a survey
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Safe wrappers and sane policies for self protecting javascript
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
The need for capability policies
Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs
Hi-index | 0.00 |
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.