B. Adida, A. Barth, and C. Jackson, Rootkits for JavaScript environments, WOOT, 2009.

D. Akhawe, P. Saxena, and D. Song, Privilege separation in HTML5 applications, USENIX Security, 2012.

T. Austin and C. Flanagan, Multiple facets for dynamic information flow, POPL, pp.165-178, 2012.

M. Avalle, A. Pironti, D. Pozza, and R. Sisto, JavaSPI, International Journal of Secure Software Engineering, vol.2, issue.4, pp.34-48, 2011.
DOI : 10.4018/jsse.2011100103

C. Bansal, K. Bhargavan, A. Delignat-lavaud, and S. Maffeis, Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage, 2013.
DOI : 10.1007/978-3-642-36830-1_7
URL : https://hal.archives-ouvertes.fr/hal-00863375

C. Bansal, K. Bhargavan, and S. Maffeis, Discovering Concrete Attacks on Website Authorization by Formal Analysis, 2012 IEEE 25th Computer Security Foundations Symposium, pp.247-262, 2012.
DOI : 10.1109/CSF.2012.27
URL : https://hal.archives-ouvertes.fr/hal-00815834

A. Barth, C. Jackson, and W. Li, Attacks on JavaScript mashup communication, W2SP, 2009.

A. Barth, C. Jackson, and J. C. Mitchell, Securing frame communication in browsers, USENIX Security, 2008.
DOI : 10.1145/1516046.1516066

A. Belenko and D. Sklyarov, Secure password managers " and " Military-grade encryption " on smartphones: Oh, really?, 2012.

K. Bhargavan and A. Delignat-lavaud, Web-based attacks on host-proof encrypted storage, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00863383

K. Bhargavan, A. Delignat-lavaud, and S. Maffeis, Defensive JavaScript website with testbed, technical report and supporting materials, 2013.

K. Bhargavan, C. Fournet, A. D. Gordon, and S. Tse, Verified interoperable implementations of security protocols, CSFW, pp.139-152, 2006.

B. Blanchet and B. Smyth, ProVerif: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial

P. Canning, W. Cook, W. Hill, W. Olthoff, and J. Mitchell, F-bounded polymorphism for objectoriented programming, FPCA, pp.273-280, 1989.

L. Cardelli, Extensible records in a pure calculus of subtyping, Theoretical Aspects of Object-Oriented Programming, pp.373-425, 1994.

D. Crockford, ADsafe: Making JavaScript safe for advertising, 2008.

W. De-groef, D. Devriese, N. Nikiforakis, and F. Piessens, FlowFox, Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pp.748-759, 2012.
DOI : 10.1145/2382196.2382275

D. Dolev and A. C. Yao, On the security of public key protocols, IEEE Transactions on Information Theory, vol.29, issue.2, pp.198-208, 1983.
DOI : 10.1109/TIT.1983.1056650

M. Finifter, A. Mettler, N. Sastry, and D. Wagner, Verifiable functional purity in java, Proceedings of the 15th ACM conference on Computer and communications security, CCS '08, pp.161-174, 2008.
DOI : 10.1145/1455770.1455793

M. Finifter, J. Weinberger, and A. Barth, Preventing Capability Leaks in Secure JavaScript Subsets, BDSS, 2010.

C. Fournet, N. Swamy, J. Chen, P. Dagand, P. Strub et al., Fully abstract compilation to JavaScript, POPL'13, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00780803

P. Haack, JSON hijacking, 2009.

D. Hardt, The OAuth 2.0 authorization framework, IETF RFC, vol.6749, 2012.
DOI : 10.17487/rfc6749

D. Hedin and A. Sabelfeld, Information-Flow Security for a Core of JavaScript, 2012 IEEE 25th Computer Security Foundations Symposium, pp.3-18, 2012.
DOI : 10.1109/CSF.2012.19

S. Maffeis, J. C. Mitchell, and A. Taly, Isolating JavaScript with Filters, Rewriting, and Wrappers, ESORICS'09, 2009.
DOI : 10.1007/978-3-540-31987-0_28
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.158.641

L. Meyerovich, A. Porter, M. Felt, and . Miller, Object views, Proceedings of the 19th international conference on World wide web, WWW '10, 2010.
DOI : 10.1145/1772690.1772764

L. Meyerovich and B. Livshits, ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser, 2010 IEEE Symposium on Security and Privacy, 2010.
DOI : 10.1109/SP.2010.36

J. Mickens and M. Finifter, Jigsaw: Efficient, loweffort mashup isolation, USENIX Web Application Development, 2012.

R. Milner, Functions as processes, Automata, Languages and Programming, pp.167-180, 1990.
URL : https://hal.archives-ouvertes.fr/inria-00075405

P. Phung, D. Sands, D. Chudnov, J. Politz, S. Eliopoulos et al., Lightweight self-protecting JavaScript ADsafety: Type-based verification of JavaScript sandboxing, ASIACCS USENIX Security, 2009.

F. Pottier, Type inference in the presence of subtyping: from theory to practice, Research Report, vol.3483, 1998.
URL : https://hal.archives-ouvertes.fr/inria-00073205

C. Reis, J. Dunagan, H. Wang, O. Dubrovsky, and S. Esmeir, BrowserShield, ACM Transactions on the Web, vol.1, issue.3, 2007.
DOI : 10.1145/1281480.1281481

G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson, Busting frame busting: a study of clickjacking vulnerabilities at popular sites, W2SP'10, 2010.

J. Somorovsky, A. Mayer, A. Worth, J. Schwenk, M. Kampmann et al., On breaking SAML: Be whoever you want to be, 2012.

E. Stark, M. Hamburg, and D. Boneh, Symmetric Cryptography in Javascript, 2009 Annual Computer Security Applications Conference, pp.373-381, 2009.
DOI : 10.1109/ACSAC.2009.42

B. Sterne and A. Barth, Content Security Policy 1.0. W3C Candidate Recommendation, 2012.

]. A. Taly, ´. U. Erlingsson, J. C. Mitchell, M. Miller, and J. Nagra, Automated analysis of securitycritical JavaScript APIs, IEEE S&P, 2011.

C. Google and . Team, A source-to-source translator for securing JavaScript-based web

R. Wang, S. Chen, and X. Wang, Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services, 2012 IEEE Symposium on Security and Privacy, pp.365-379, 2012.
DOI : 10.1109/SP.2012.30

R. Wang, S. Chen, X. Wang, and S. Qadeer, How to shop for free online -security analysis of cashieras-a-service based web stores, IEEE S&P, pp.465-480, 2011.

M. Zalewski, The Tangled Web, 2011.

L. Zhengqin and T. Rezk, Mashic compiler: Mashup sandboxing based on inter-frame communication, 2012.