Securing Script-Based Extensibility in Web Browsers

Date Added: Jun 2010
Format: PDF

Web browsers are increasingly designed to be extensible to keep up with the Web's rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from untrusted web pages. Unfortunately, this powerful combination creates the threat of privilege escalation attacks that grant web page scripts the full privileges of extensions and control over the entire browser process. This paper makes its contributions. It describes the pitfalls of script-based extensibility based on the study of the Firefox web browser.