Much of the power of modern Web comes from the ability of a Web page to combine contents and JavaScript code from disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the developer because of extra functionality, because of code inclusion, the hosting site effectively opens itself up for attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words, expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means for the hosting page to restrict the behavior of the code that it may include. This paper presents CONSCRIPT, an client-side advice implementation for security, built on top of Internet Explorer 8 a. CONSCRIPT allows the hosting page to express fine-grained application-specific security policies that are enforced at runtime. In addition to presenting 17 widelyranging security and reliability policies that CONSCRIPT enables, we

Browsers do not currently support the secure sharing of JavaScript objects between principals. We present this problem as the need for object views, which are consistent and controllable versions of objects. Multiple views can be made for the same object and customized for the recipients. We implement object views with a JavaScript library that wraps shared objects and interposes on all access attempts. The security challenge is to fully mediate access to objects shared through a view and prevent privilege escalation. We discuss how object views can be deployed in two settings: sameorigin sharing with rewriting-based JavaScript isolation systems like Google Caja, and inter-origin sharing between browser frames over a message-passing channel. To facilitate simple document sharing, we build a policy system for declaratively defining policies for document object views. Notably, our document policy system makes it possible to hide elements without breaking document structure invariants. Developers can control the fine-grained behavior of object views with an aspect system that accepts programmatic policies.

Abstract. Phung et al (ASIACCS’09) describe a method for wrapping built-in methods of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies – i.e. policies upon which attacker code has no side effects. 1

Web sites and web browsers have recently evolved into platforms on top of which entire applications are delivered dynamically, mostly as JavaScript source code. This delivery format has sparked extremely enthusiastic efforts to customize both individual web sites and entire browsers in ways the original authors never expected or accommodated. Such customizations take the form of yet more script dynamically injected into the application, and the current idioms to do so exploit arcane JavaScript features and are extremely brittle. In this work, we accept the popularity of extensions and seek better linguistic mechanisms to support them. We suggest adding to JavaScript aspect-oriented features that allow straightforward and declarative ways for customization code to modify the targeted application. Compared to most prior aspect-related research, our work has a different motivation and a different target programming environment, both of which lead to novel design and implementation techniques. Our aspect weaving is entirely integrated into a new dynamic JIT compiler, which lets us properly handle advice to first-class functions in the presence of arbitrary aliasing, without resorting to whole-program code transformations. Our prototype demonstrates that an aspect-oriented approach to web-application customization is often more efficient than current idioms while simplifying the entire process.

Modern web applications consist of many distinct services that collaborate to provide the full application functionality. To improve application performance, developers need to be able to identify the root cause of performance problems; identifying and fixing performance problems in these distributed, heterogeneous applications can be very difficult. As web applications become more complicated, the number of systems involved will continue to grow and full-system performance tuning will become more difficult. We postulate that multi-tier profiling, starting at the web browser, is the appropriate way to solve this problem. Instrumenting from the web browser, as the user experiences it, ensures that we can tell what each service in the application is contributing to overall page-load time; thus, each tier