Much of the power of modern Web comes from the ability of a Web page to combine contents and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, because of code inclusion, the hosting site effectively opens itself up for attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words, expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means for the hosting page to restrict the behavior of the code that it may include. This paper presents CONSCRIPT, an client-side advice implementation for security, built on top of Internet Explorer 8 a. CONSCRIPT allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widelyranging security and reliability policies that CONSCRIPT enables, we

Abstract. Phung et al (ASIACCS’09) describe a method for wrapping built-in methods of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies – i.e. policies upon which attacker code has no side effects. 1

Abstract Web mashups, a new web application development paradigm, combine content and services from multiple origins into a new service. Web mashups heavily depend on interaction between content from multiple origins and communication with different origins. Contradictory, mashup security relies on separation for protecting code and data. Traditional HTML techniques fail to address both the interaction/communication needs and the separation needs. This paper proposes concrete requirements for building secure mashups, divided in four categories: separation, interaction, communication and advanced behavior control. For the first three categories, all currently available techniques are discussed in light of the proposed requirements. For the last category, we present three relevant academic research results with high potential. We conclude the paper by highlighting the most applicable techniques for building secure mashups, because of functionality and standardization. We also discuss opportunities for future improvements and developments. 1

For better application-level controls on mashups, we advocate extending the Single Origin Policy and associated primitives to support a cooperative model that allows applications to express explicit sharing policies over browser, Javascript, and physical resources. First, we introduce an isolation model for content loading that is more complete than those of surveyed browser proposals. Second, we present new primitives to enable an application to secure its use of untrusted content by delegating browser, JavaScript, and physical resources in a fine-grained and reliable manner. Finally, essential to adoption, we propose an architecture based on designs for related abstractions with low performance and implementation costs. 1.

Browser extensions let developers add extra functionality to the browser. Although this enables popular new features, extensions threaten browser security because they are written by unknown third-party developers. An extension could be directly malicious, or a well-intentioned developer could write buggy code that leaks privileges to a malicious web site operator. This thesis advocates the development of an extension system that limits extensions’ privileges to the fewest privileges possible without crippling legitimate functionality. We motivate the reduction of extension privileges with a study of 25 Mozilla Firefox extensions. Currently, Firefox extensions have unrestricted access to browser privileges: extensions can delete files from the hard drive and launch processes. Our study shows that 88 % of the studied extensions do not require the most powerful privileges. We consider how the Firefox extension system could be changed to reduce extension privileges and remove the privilege gap. We then examine the new Google Chrome extension system, which supports restrictions on extensions as recommended by this work. We test the performance of their security mechanisms and study 25 popular Google Chrome extensions to see whether they are appropriately privileged. 1

Abstract not found

The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for thirdparty scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor. In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular finegrained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sandbox that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, without imposing restrictions on the expressiveness of the policies. Our proposed architecture improves upon the state-of-theart as it does not depend on browser modification nor preprocessing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the EC-MAScript 5 specification, and applied it to a representative online advertisement case study to validate the feasibility and security of the proposed architecture.