Skip to Main content Skip to Navigation
New interface
Reports (Research report)

Embedding of Security Components in Untrusted Third-Party Websites

Abstract : Security-sensitive components, such as single sign-on APIs, need to be safely deployed on untrusted webpages. We present several new attacks on security components used in popular web applications that demonstrate how failing to isolate such components leaves them vulnerable to attacks both from the hosting website and other components loaded on the same page. These attacks are not prevented by browser security mechanisms alone, because they are caused by code interacting within the same origin. To mitigate these attacks, we propose to combine fine-grained component isolation at the JavaScript level with cryptographic mechanisms. We present Defensive JavaScript (DJS), a subset of the language that guarantees the behavioral integrity of trusted scripts loaded in an untrusted page. We give a sound type system, type inference tool and build defensive libraries for cryptography and data encodings. We show the effectiveness of our solution by implementing several isolation patterns that fix some of our original attacks. We use a translation of a fragment of DJS to to applied pi-calculus to verify concrete security policies of critical components against various classes of web attackers.
Document type :
Reports (Research report)
Complete list of metadata

Cited literature [31 references]  Display  Hide  Download
Contributor : Antoine Delignat-Lavaud Connect in order to contact the contributor
Submitted on : Friday, April 19, 2013 - 1:37:23 PM
Last modification on : Thursday, October 27, 2022 - 4:02:49 AM
Long-term archiving on: : Saturday, July 20, 2013 - 4:02:24 AM


Files produced by the author(s)


  • HAL Id : hal-00815800, version 1


Antoine Delignat-Lavaud, Karthikeyan Bhargavan, Sergio Maffeis. Embedding of Security Components in Untrusted Third-Party Websites. [Research Report] RR-8285, INRIA. 2013, pp.32. ⟨hal-00815800⟩



Record views


Files downloads