Skip to Main content Skip to Navigation
Conference papers

Flexible access control for JavaScript

Gregor Richards 1 Christian Hammer 2 Francesco Zappa Nardelli 3 Suresh Jagannathan 1 Jan Vitek 1 
3 Parkas - Parallélisme de Kahn Synchrone
DI-ENS - Département d'informatique - ENS Paris, Inria Paris-Rocquencourt, CNRS - Centre National de la Recherche Scientifique : UMR 8548
Abstract : Providing security guarantees for systems built out of untrusted components requires the ability to define and enforce access control policies over untrusted code. In Web 2.0 applications, JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of a JavaScript program by leveraging the concept of delimited histories with revocation. We implement our proposal in WebKit and evaluate it with three policies on 50 widely used websites with no changes to their JavaScript code and report performance overheads and violations.
Document type :
Conference papers
Complete list of metadata
Contributor : Francesco Zappa Nardelli Connect in order to contact the contributor
Submitted on : Monday, November 25, 2013 - 5:16:34 PM
Last modification on : Thursday, March 31, 2022 - 4:37:54 AM




Gregor Richards, Christian Hammer, Francesco Zappa Nardelli, Suresh Jagannathan, Jan Vitek. Flexible access control for JavaScript. OOPSLA 2013 - CM SIGPLAN international conference on Object oriented programming systems languages & applications, Oct 2013, Indianapolis, IN, United States. pp.305-322, ⟨10.1145/2509136.2509542⟩. ⟨hal-00909080⟩



Record views