Flexible access control for javascript

  • Authors:
  • Gregor Richards;Christian Hammer;Francesco Zappa Nardelli;Suresh Jagannathan;Jan Vitek

  • Affiliations:
  • Purdue University, West Lafayette, IN, USA;Saarland University, Saarbrücken, Germany;INRIA, Paris, France;Purdue University, West Lafayette, IN, USA;Purdue University, West Lafayette, IN, USA

  • Venue:
  • Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of a JavaScript program by leveraging the concept of delimited histories with revocation. We implement our proposal in WebKit and evaluate it with three policies on 50 widely used websites with no changes to their JavaScript code and report performance overheads and violations.