CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications

Pieter Agten ; Steven Van Acker ; Yoran Brondsema ; Phu H. Phung (Institutionen för data- och informationsteknik, Programvaruteknik (Chalmers)) ; Lieven Desmet ; Frank Piessens
Proceedings of ACSAC'2012 Annual Computer Security Applications Conference, Orlando, 3-7 December 2012 Vol. 1 (2012), p. 1-10.
[Konferensbidrag, refereegranskat]

The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

Nyckelord: Sandbox; Script Inclusion; Security Architecture; Web Application Security; Web Mashups

Den här publikationen ingår i följande styrkeområden:

Läs mer om Chalmers styrkeområden  

Denna post skapades 2012-12-24. Senast ändrad 2017-01-12.
CPL Pubid: 168614


Läs direkt!

Länk till annan sajt (kan kräva inloggning)