Abstract | ||
---|---|---|
Modern Web applications combine and use JavaScript-based content from multiple untrusted sources. Without proper isolation, such content can compromise the security and privacy of these Web applications. Prior techniques for isolating untrusted JavaScript code do so by restricting dangerous constructs and inlining security checks into third-party code. This paper presents a new approach that extends the JavaScript language to make isolation a language-level primitive. We propose to extend the language using a new transaction construct that allows a Web application to speculatively execute untrusted code and isolate its changes. The Web application can then inspect these speculative actions and commit them only if they comply with the application's security policies. We discuss use-cases that can benefit from JavaScript support for transactions, present a formalization of JavaScript transactions and conclude with implementation considerations. |
Year | DOI | Venue |
---|---|---|
2010 | 10.1145/1814217.1814223 | PLAS |
Keywords | DocType | Citations |
position paper,javascript support,security policy,untrusted javascript code,javascript language,inlining security check,javascript transaction,web application,multiple untrusted source,third-party code,modern web application,speculative execution,confinement,use case,javascript,isolation | Conference | 3 |
PageRank | References | Authors |
0.43 | 11 | 3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Mohan Dhawan | 1 | 192 | 11.15 |
Chung-chieh Shan | 2 | 485 | 33.27 |
Vinod Ganapathy | 3 | 713 | 42.69 |