Skip to main content
SpringerLink
Log in
Book cover

International School on Foundations of Security Analysis and Design

International School on Foundations of Security Analysis and Design

FOSAD 2016, FOSAD 2015: Foundations of Security Analysis and Design VIII pp 32–86Cite as

JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript

  • Chapter
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9808))

Abstract

Today’s web applications rely on the same-origin policy, the primary security policy of the Web, to isolate their web origin from malicious client-side JavaScript.

When an attacker can somehow breach the same-origin policy and execute JavaScript code inside a web application’s origin, he gains full control over all available functionality and data in that web origin.

In the JavaScript sandboxing field, we assume that an attacker has the ability to execute JavaScript code in a web application’s origin. The goal of JavaScript sandboxing is to isolate the execution of certain JavaScript code and restrict what functionality and data is available to it.

In this paper we discuss proposed JavaScript sandboxing systems divided into three categories: JavaScript sandboxing through JavaScript subsets and rewriting systems, JavaScript sandboxing using browser modifications and JavaScript sandboxing without browser modifications.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    This work could also be listed under Sect. 3, but since the published paper mostly focuses on the cross-origin communication which does not require browser modifications, it is listed in this section instead.

References

  1. Galeon. http://galeon.sourceforge.net/

  2. JSLint, The JavaScript Code Quality Tool. http://www.jslint.com/

  3. Netscape 2.0 reviewed. http://www.antipope.org/charlie/old/journo/netscape.html

  4. node.js. http://nodejs.org/

  5. QuirksMode - for all your browser quirks. http://www.quirksmode.org/

  6. Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 1–10. ACM (2012)

    Google Scholar 

  7. Akhawe, D., Saxena, P., Song, D.: Privilege separation in HTML5 applications. In: Kohno, T. (ed.) Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8–10, 2012, pp. 429–444. USENIX Association (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/akhawe

  8. Ustinova, A.: Developers compete at Facebook conference, 23 July 2008. http://www.sfgate.com/business/article/Developers-compete-at-Facebook-conference-3203144.php

  9. Apache OpenOffice: Writing Office Scripts in JavaScript. https://www.openoffice.org/framework/scripting/release-0.2/javascript-devguide.html

  10. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009). http://doi.acm.org/10.1145/1516046.1516066

    Article  Google Scholar 

  11. Blink: Blink. http://www.chromium.org/blink

  12. BuiltWith: jQuery Usage Statistics. http://trends.builtwith.com/javascript/jQuery

  13. Cao, Y., Li, Z., Rastogi, V., Chen, Y., Wen, X.: Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security. In: Youm, H.Y., Won, Y. (eds.) 7th ACM Symposium on Information, Compuer and Communications Security, ASIACCS 2012, Seoul, Korea, May 2–4, 2012, pp. 8–9. ACM (2012). http://doi.acm.org/10.1145/2414456.2414460

  14. Cassou, D., Ducasse, S., Petton, N.: SafeJS: Hermetic Sandboxing for JavaScript (2013)

    Google Scholar 

  15. Charles Severance: JavaScript: Designing a Language in 10 Days. http://www.computer.org/csdl/mags/co/2012/02/mco2012020007.html

  16. Crockford, D.: ADsafe - making JavaScript safe for advertising. http://adsafe.org/

  17. De Ryck, P., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards. Technical report. In: Hogben, G., Dekker, M. (eds.) European Network and Information Security Agency (ENISA), July 2011. https://lirias.kuleuven.be/handle/123456789/317385

  18. Dio Synodinos: ECMAScript 5, Caja and Retrofitting Security, with Mark S. Miller. http://www.infoq.com/interviews/ecmascript-5-caja-retrofitting-security

  19. Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: comprehensive and flexible confinement of javascript-based advertisements. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 297–306. ACM, New York (2011). http://doi.acm.org/10.1145/2076732.2076774

  20. ECMAScript: Harmony Direct Proxies. http://wiki.ecmascript.org/doku.php?id=harmony:direct_proxies

  21. Espruino: Espruino - JavaScript for Microcontrollers. http://www.espruino.com/

  22. Facebook: Facebook Expands Power of Platform Across the Web and Around the World, 23 July 2008. http://newsroom.fb.com/news/2008/07/facebook-expands-power-of-platform-across-the-web-and-around-the-world/

  23. Facebook: Facebook Platform Migrations (Older). https://developers.facebook.com/docs/apps/migrations/completed-changes

  24. Facebook: Facebook Unveils Platform for Developers of Social Applications,24 May 2007. http://newsroom.fb.com/news/2007/05/facebook-unveils-platform-for-developers-of-social-applications/

  25. Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure javascript subsets. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February - 3rd March 2010. The Internet Society (2010). http://www.isoc.org/isoc/conferences/ndss/10/pdf/21.pdf

  26. Fran Larkin: Platform Updates: Change Log, Third Party IDs and More, 18 December 2010. https://developers.facebook.com/blog/post/441

  27. GNOME: Gjs: JavaScript Bindings for GNOME. https://wiki.gnome.org/action/show/Projects/Gjs?action=show&redirect=Gjs

  28. Google: V8 JavaScript Engine. https://code.google.com/p/v8/

  29. Google Chrome Developers: Chrome - What are extensions? https://developer.chrome.com/extensions

  30. Google Chrome Developers: Native Client. https://developer.chrome.com/native-client

  31. Grosskurth, A., Godfrey, M.W.: A case study in architectural analysis: The evolution of the modern web browser. EMSE (2007)

    Google Scholar 

  32. Guarnieri, S., Livshits, V.B.: GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code. In: Monrose, F. (ed.) 18th USENIX Security Symposium, Montreal, Canada, August 10–14, 2009, Proceedings, pp. 151–168. USENIX Association (2009). http://www.usenix.org/events/sec09/tech/full_papers/guarnieri.pdf

  33. Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of javascript. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010). http://dx.doi.org/10.1007/978-3-642-14107-2_7

    Chapter  Google Scholar 

  34. Heiderich, M., Frosch, T., Holz, T.: IceShield: detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/978-3-642-23644-0_15

    Chapter  Google Scholar 

  35. Ingram, L., Walfish, M.: Treehouse: javascript sandboxes to help web developers help themselves. In: Heiser, G., Hsieh, W.C. (eds.) 2012 USENIX Annual Technical Conference, Boston, MA, USA, June 13–15, 2012, pp. 153–164. USENIX Association (2012). https://www.usenix.org/conference/atc12/technical-sessions/presentation/ingram

  36. Jacaranda: Jacaranda. http://jacaranda.org

  37. Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: ESCUDO: a fine-grained protection model for web browsers. In: 2010 International Conference on Distributed Computing Systems, ICDCS 2010, Genova, Italy, June 21–25, 2010, pp. 231–240. IEEE Computer Society (2010). http://doi.ieeecomputersociety.org/10.1109/ICDCS.2010.71

  38. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM, New York (2007). http://dx.doi.org/10.1145/1242572.1242654

  39. Joiner, R., Reps, T.W., Jha, S., Dhawan, M., Ganapathy, V.: Efficient runtime-enforcement techniques for policy weaving. In: Cheung, S., Orso, A., Storey, M.D. (eds.) Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (FSE-22), Hong Kong, China, November 16–22, 2014, pp. 224–234. ACM (2014). http://doi.acm.org/10.1145/2635868.2635907

  40. jQuery: Update on jQuery.com Compromises. http://blog.jquery.com/2014/09/24/update-on-jquery-com-compromises/

  41. JSLint Error Explanations: Implied eval is evil. Pass a function instead of a string. http://jslinterrors.com/implied-eval-is-evil-pass-a-function-instead-of-a-string

  42. Zyp, K.: Secure Mashups with dojox.secure. http://www.sitepen.com/blog/2008/08/01/secure-mashups-with-dojoxsecure/

  43. Dignan, L.: Developing a PayPal App, 20 February 2011. https://web.archive.org/web/20110220013816/https://www.x.com/docs/DOC-3082

  44. Dignan, L.: MySpace: Caja JavaScript scrubbing ready for prime time. http://www.zdnet.com/article/myspace-caja-javascript-scrubbing-ready-for-prime-time/

  45. Luo, T., Du, W.: Contego: capability-based access control for web browsers - (short paper). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 231–238. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/978-3-642-21599-5_17

    Chapter  Google Scholar 

  46. Maffeis, S., Mitchell, J.C., Taly, A.: Isolating javascript with filters, rewriting, and wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-04444-1_31

    Chapter  Google Scholar 

  47. Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA, July 8–10, 2009, pp. 77–91. IEEE Computer Society (2009). http://doi.ieeecomputersociety.org/10.1109/CSF.2009.11

  48. Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 239–255. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/978-3-642-27937-9_17

    Chapter  Google Scholar 

  49. Maxthon: Maxthon Cloud Browser. http://www.maxthon.com/

  50. Meyerovich, L.A., Felt, A.P., Miller, M.S.: Object views: fine-grained sharing in browsers (2010). http://doi.acm.org/10.1145/1772690.1772764

  51. Meyerovich, L.A., Livshits, V.B.: ConScript: specifying and enforcing fine-grained security policies for javascript in the browser. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, 16–19 May 2010, Berleley/Oakland, California, USA, pp. 481–496. IEEE Computer Society (2010). http://doi.ieeecomputersociety.org/10.1109/SP.2010.36

  52. Mickens, J.: Pivot: fast, synchronous mashup isolation using generator chains. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18–21, 2014. pp. 261–275. IEEE Computer Society (2014). http://dx.doi.org/10.1109/SP.2014.24

  53. Mickens, J., Finifter, M.: Jigsaw: rfficient, low-effort mashup isolation. In: Presented as part of the 3rd USENIX Conference on Web Application Development (WebApps 2012), pp. 13–25. USENIX, Boston (2012). https://www.usenix.org/conference/webapps12/technical-sessions/presentation/mickens

  54. Microsoft: Internet Explorer Architecture. http://msdn.microsoft.com/en-us/library/aa741312(v=vs.85).aspx

  55. Microsoft: Microsoft Internet Security and Acceleration (ISA) Server 2004. http://technet.microsoft.com/en-us/library/cc302436.aspx

  56. Microsoft: Microsoft Security Bulletin MS04-040 - Critical. https://technet.microsoft.com/en-us/library/security/ms04-040.aspx

  57. Microsoft: Mitigating Cross-site Scripting With HTTP-only Cookies. http://msdn.microsoft.com/en-us/library/ms533046(VS.85).aspx

  58. Microsoft Live Labs: Live Labs Websandbox. http://websandbox.org

  59. Mihai Bazon: UglifyJS. https://github.com/mishoo/UglifyJS/

  60. Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008

    Google Scholar 

  61. Miller, M.S.: Robust composition: towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD, USA (2006). aAI3245526

    Google Scholar 

  62. MITRE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition. http://cwe.mitre.org/data/definitions/367.html

  63. MongoDB, Inc.: MongoDB. http://www.mongodb.org/

  64. Mozilla: Gecko. https://developer.mozilla.org/en-US/docs/Mozilla/Gecko

  65. Mozilla: JavaScript Strict Mode Reference. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode

  66. Mozilla: MDN - Building an extension. https://developer.mozilla.org/en/docs/Building_an_Extension

  67. Mozilla The Narcissus meta-circular JavaScript interpreter. https://github.com/mozilla/narcissus

  68. Mozilla: The "with" statement. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/with

  69. Namita Gupta: Facebook Platform Roadmap Update, 19 August 2010. https://developers.facebook.com/blog/post/402

  70. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) the ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, October 16–18, 2012, pp. 736–747. ACM (2012). http://doi.acm.org/10.1145/2382196.2382274

  71. Opera: Opera Browser. http://www.opera.com

  72. Patil, K., Dong, X., Li, X., Liang, Z., Jiang, X.: Towards fine-grained access control in javascript contexts. In: 2011 International Conference on Distributed Computing Systems, ICDCS 2011, Minneapolis, Minnesota, USA, June 20–24, 2011, pp. 720–729. IEEE Computer Society (2011). http://dx.doi.org/10.1109/ICDCS.2011.87

  73. Phung, P.H., Desmet, L.: A two-tier sandbox architecture for untrusted JavaScript. In: JSTools 2012, Proceedings of the Workshop on JavaScript Tools, Beijing, 13 June 2012, pp. 1–10 (2012)

    Google Scholar 

  74. Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 47–60. ACM, New York (2009). http://doi.acm.org/10.1145/1533057.1533067

  75. Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: type-based verification of javascript sandboxing. In: 20th USENIX Security Symposium, San Francisco, CA, USA, August 8–12, 2011, Proceedings. USENIX Association (2011). http://static.usenix.org/events/sec11/tech/full_papers/Politz.pdf

  76. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. In: OSDI 2006: Proceedings of the 7th symposium on Operating Systems Design and Implementation, pp. 61–74. USENIX Association, Berkeley (2006). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.85.1661

  77. Richards, G., Hammer, C., Burg, B., Vitek, J.: The eval that men do: large-scale study of the use of eval in javascript applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/978-3-642-22655-7_4

    Chapter  Google Scholar 

  78. Sam Pullara: Introducing Y!OS 1.0 - live today! 28 October 2008. https://web.archive.org/web/20081029191209/http://developer.yahoo.net/blog/archives/2008/10/yos_10_launch.html

  79. Sandra Liu Huang: Platform Updates: Promotion Policies, Facepile and More, 4 December 2010. https://developers.facebook.com/blog/post/2010/12/03/platform-updates--promotion-policies--facepile-and-more/

  80. Mozilla SpiderMonkey. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey

  81. Stack Exchange (Jasvir Nagra): Why hasn’t Caja been popular? http://programmers.stackexchange.com/a/147014

  82. Stack Overflow (Kevin Reid): Uses of Google Caja. http://stackoverflow.com/questions/16054597/uses-of-google-caja

  83. Taly, A., Erlingsson, U., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated analysis of security-critical javascript APIs. In: IEEE Symposium on Security and Privacy, pp. 363–378 (2011)

    Google Scholar 

  84. Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium, Washington, DC, USA, August 11–13, 2010, Proceedings, pp. 371–388. USENIX Association (2010). http://www.usenix.org/events/sec10/tech/full_papers/TerLouw.pdf

  85. Ter Louw, M., Phung, P.H., Krishnamurti, R., Venkatakrishnan, V.N.: SafeScript: javascript transformation for policy enforcement. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 67–83. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-41488-6_5

    Chapter  Google Scholar 

  86. Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers (2009). http://dx.doi.org/10.1109/SP.2009.33

  87. Tessel: Tessel 2. https://tessel.io

  88. The FaceBook Team: FBJS. http://wiki.developers.facebook.com/index.php/FBJS

  89. Troy Hunt: How I got XSS’d by my ad network. http://www.troyhunt.com/2015/07/how-i-got-xssd-by-my-ad-network.html

  90. Twitter: How to embed Twitter timelines on your website. https://blog.twitter.com/2012/embedded-timelines-howto

  91. Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Zakon, R.H., McDermott, J.P., Locasto, M.E. (eds.) Twenty-Seventh Annual Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, 5–9 December 2011, pp. 307–316. ACM (2011). http://doi.acm.org/10.1145/2076732.2076775

  92. W3C: Same Origin Policy - Web Security. http://www.w3.org/Security/wiki/Same_Origin_Policy

  93. W3C: W3C - Web Workers. http://www.w3.org/TR/workers/

  94. W3C: W3C Standards and drafts - Cross-Origin Resource Sharing. http://www.w3.org/TR/cors/

  95. W3C: XML Path Language (XPath) 2.0. http://www.w3.org/TR/xpath20/

  96. W3Techs: Usage of JavaScript for websites. http://w3techs.com/technologies/details/cp-javascript/all/all

  97. Webkit Blog - David Carson: Android uses WebKit. https://www.webkit.org/blog/142/android-uses-webkit/

  98. WHATWG: HTML Living Standard - Timers. https://html.spec.whatwg.org/multipage/webappapis.html#timers

  99. Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2007, pp. 237–249. ACM, New York (2007). http://doi.acm.org/10.1145/1190216.1190252

Download references

Acknowledgments

This work was funded by the European Community under the ProSecuToR and WebSand projects, the Swedish research agencies SSF and VR.

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Steven Van Acker & Andrei Sabelfeld

Authors
  1. Steven Van Acker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrei Sabelfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven Van Acker .

Editor information

Editors and Affiliations

  1. University of Urbino , Urbino, Italy

    Alessandro Aldini

  2. University of Malaga , Malaga, Spain

    Javier Lopez

  3. National Research Council C.N.R. , Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Van Acker, S., Sabelfeld, A. (2016). JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript. In: Aldini, A., Lopez, J., Martinelli, F. (eds) Foundations of Security Analysis and Design VIII. FOSAD FOSAD 2016 2015. Lecture Notes in Computer Science(), vol 9808. Springer, Cham. https://doi.org/10.1007/978-3-319-43005-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-43005-8_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-43004-1

  • Online ISBN: 978-3-319-43005-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation