• DocumentCode
    3255708
  • Title

    Language-Based Isolation of Untrusted JavaScript

  • Author

    Maffeis, Sergio ; Taly, Ankur

  • Author_Institution
    Dept. of Comput., Imperial Coll. London, London, UK
  • fYear
    2009
  • fDate
    8-10 July 2009
  • Firstpage
    77
  • Lastpage
    91
  • Abstract
    Web sites that incorporate untrusted content may use browser- or language-based methods to keep such content from maliciously altering pages, stealing sensitive information, or causing other harm. We study language-based methods for filtering and rewriting JavaScript code, using Yahoo! ADSafe and Facebook FBJS as motivating examples. We explain the core problems by describing previously unknown vulnerabilities and subtleties, and develop a foundation for improved solutions based on an operational semantics of the full ECMA-262 language. We also discuss how to apply our analysis to address the JavaScript isolation problems we discovered.
  • Keywords
    Java; Web sites; information filtering; rewriting systems; security of data; JavaScript code filtering; JavaScript code rewriting; Web sites; language-based isolation; operational semantics; untrusted JavaScript; Advertising; Computer science; Computer security; Educational institutions; Electronic mail; Facebook; Filtering; Java; Social network services; USA Councils; Facebook; Isolation; JavaScript; Security; Subsetting;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Security Foundations Symposium, 2009. CSF '09. 22nd IEEE
  • Conference_Location
    Port Jefferson, NY
  • ISSN
    1940-1434
  • Print_ISBN
    978-0-7695-3712-2
  • Type

    conf

  • DOI
    10.1109/CSF.2009.11
  • Filename
    5230484
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=3255708