Skip to Main content Skip to Navigation
Conference papers

Flexible access control for JavaScript

Gregor Richards 1 Christian Hammer 2 Francesco Zappa Nardelli 3 Suresh Jagannathan 1 Jan Vitek 1
3 Parkas - Parallélisme de Kahn Synchrone
DI-ENS - Département d'informatique de l'École normale supérieure, Inria Paris-Rocquencourt, CNRS - Centre National de la Recherche Scientifique : UMR 8548
Abstract : Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of a JavaScript program by leveraging the concept of delimited histories with revocation. We implement our proposal in WebKit and evaluate it with three policies on 50 widely used websites with no changes to their JavaScript code and report performance overheads and violations.
Document type :
Conference papers
Complete list of metadata

https://hal.inria.fr/hal-00909080
Contributor : Francesco Zappa Nardelli <>
Submitted on : Monday, November 25, 2013 - 5:16:34 PM
Last modification on : Thursday, July 1, 2021 - 5:58:08 PM

Identifiers

Collections

Citation

Gregor Richards, Christian Hammer, Francesco Zappa Nardelli, Suresh Jagannathan, Jan Vitek. Flexible access control for JavaScript. OOPSLA 2013 - CM SIGPLAN international conference on Object oriented programming systems languages & applications, Oct 2013, Indianapolis, IN, United States. pp.305-322, ⟨10.1145/2509136.2509542⟩. ⟨hal-00909080⟩

Share

Metrics

Record views

273