Lightweight Approach to Enforcing Security Policies for JavaScript

Conference poster, 2010

We present a method to intercept JavaScript built-in functions with security policies in order to control the behavior of security-relevant events in a web page so that unintended behavior can be prevented. The method is lightweight in the sense that it does not require browser modification, original code transformation, or language restriction (or extension). We also address possible vulnerabilities in the enforcement mechanism, and provide a systematic way to avoid the identified vulnerabilities, including general issues such as object and function subversion, and library-specific problems. The issue of untyped arguments in JavaScript is solved by declarative type checking that implements call-by-primitive-value idea to avoid possible side effects from attacker code. Enforceable security policies for JavaScript that can ensure the safety of the defined policies is also discussed.