CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

This paper presents CONSCRIPT, an client-side advice implementation for security, built on top of Internet Explorer 8a. CONSCRIPT allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widely-ranging security and reliability policies that CONSCRIPT enables, one also shows how policies can be generated automatically through static analysis of server-side code or runtime analysis of client-side code. The paper also presents a type system that helps ensure correctness of CONSCRIPT policies.