Title :
Secure Web scripting
Author :
Anupam, Vinod ; Mayer, Alain
Author_Institution :
Lucent Lab., AT&T Bell Labs., Murray Hill, NJ, USA
Abstract :
Current Web scripting languages lack an explicit security model. The model proposed in the article has been implemented for JavaScript in the Mozilla browser source code; it is realized by a “safe” interpreter and based on three basic building blocks: access control, to regulate what data a script can access on a user´s machine and in what mode; independence of contexts, to ensure that two scripts executing in different contexts (for example, simultaneously in different browser windows or sequentially in the same browser window) cannot access each other´s data at will; and trust management, to regulate how trust is established and terminated among scripts executing simultaneously in different contexts. We also advocate a clear separation between a security policy and an implementation. Different users require different degrees of privacy and security, which translate to different degrees of flexibility when interacting with a Web server; these differences can be expressed in different security policies. A sound implementation, however, should be universally applicable. These are principles that first appeared decades ago in work on secure operating systems
Keywords :
Java; authoring languages; data privacy; information resources; search engines; security of data; JavaScript; Mozilla browser source code; Web scripting languages; Web server; access control; browser windows; context independence; explicit security model; privacy; safe interpreter; secure Web scripting; secure operating systems; security policy; trust management; Cryptography; Data security; HTML; History; Information security; Internet; Java; Laboratories; Object oriented modeling; Operating systems;
Journal_Title :
Internet Computing, IEEE
DOI :
10.1109/4236.735986
