JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications
Paper in proceeding, 2012
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry
risks, as the included scripts operate with the privileges of the including website.
We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser
modifications: the sandboxing framework is implemented in
JavaScript and is delivered to the browser by the websites
that use it. Enforcement is done entirely at the client side:
JSand enforces a server-specified policy on included scripts
without requiring server-side filtering or rewriting of scripts.
Most importantly, JSand is complete: access to all resources
is mediated by the sandbox.
We describe the design and implementation of JSand, and
we show that it is secure, backwards compatible, and that
it performs sufficiently well.
Security Architecture
Sandbox
Web Mashups
Web Application Security
Script Inclusion
Author
Pieter Agten
KU Leuven
Steven Van Acker
KU Leuven
Yoran Brondsema
KU Leuven
Phu Phung
Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)
Lieven Desmet
KU Leuven
Frank Piessens
KU Leuven
Proceedings of ACSAC'2012 Annual Computer Security Applications Conference, Orlando, 3-7 December 2012
Vol. 1 1-10
978-1-4503-1312-4 (ISBN)
Subject Categories
Computer Engineering
Software Engineering
Areas of Advance
Information and Communication Technology
DOI
10.1145/2420950.2420952
ISBN
978-1-4503-1312-4