Language Based Isolation of Untrusted JavaScript

Free registration required

Executive Summary

Web sites that incorporate untrusted content may use browser or language-based methods to keep such content from maliciously altering pages, stealing sensitive information, or causing other harm. The authors study methods for filtering and rewriting JavaScript code, using Yahoo! ADsafe and Face-book FBJS as motivating examples. They explain the core problems by describing previously unknown vulnerabilities and shortcomings, and give a foundation for improved solutions based on an operational semantics of the full ECMA262-3 language. They also discuss how to apply the analysis to address the problems they discovered.

  • Format: PDF
  • Size: 343.3 KB