On Access Checking in Capability-Based Systems
IEEE Transactions on Software Engineering - Special issue on computer security and privacy
JavaScript (2nd ed.): the definitive guide
JavaScript (2nd ed.): the definitive guide
Learning VBScript
A sound type system for secure flow analysis
Journal of Computer Security
On security in capability-based systems
ACM SIGOPS Operating Systems Review
USITS'97 Proceedings of the USENIX Symposium on Internet Technologies and Systems on USENIX Symposium on Internet Technologies and Systems
Security of web browser scripting languages: vulnerabilities, attacks, and remedies
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
ATEC '98 Proceedings of the annual conference on USENIX Annual Technical Conference
A user's and programmer's view of the new JavaScript security model
USITS'99 Proceedings of the 2nd conference on USENIX Symposium on Internet Technologies and Systems - Volume 2
Prevention of cross-site scripting attacks on current web applications
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Detecting frauds in online advertising systems
EC-Web'06 Proceedings of the 7th international conference on E-Commerce and Web Technologies
A survey on detection techniques to prevent cross-site scripting attacks on current web applications
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
SP 800-19. Mobile Agent Security
SP 800-19. Mobile Agent Security
SP 800-28 Version 2. Guidelines on Active Content and Mobile Code
SP 800-28 Version 2. Guidelines on Active Content and Mobile Code
Countermeasures for mobile agent security
Computer Communications
| Hi-index | 0.00 |
Current Web scripting languages lack an explicit security model. The model proposed in the article has been implemented for JavaScript in the Mozilla browser source code; it is realized by a “safe” interpreter and based on three basic building blocks: access control, to regulate what data a script can access on a user's machine and in what mode; independence of contexts, to ensure that two scripts executing in different contexts (for example, simultaneously in different browser windows or sequentially in the same browser window) cannot access each other's data at will; and trust management, to regulate how trust is established and terminated among scripts executing simultaneously in different contexts. We also advocate a clear separation between a security policy and an implementation. Different users require different degrees of privacy and security, which translate to different degrees of flexibility when interacting with a Web server; these differences can be expressed in different security policies. A sound implementation, however, should be universally applicable. These are principles that first appeared decades ago in work on secure operating systems