JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications
Paper in proceeding, 2012

The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

Security Architecture


Web Mashups

Web Application Security

Script Inclusion


Pieter Agten

KU Leuven

Steven Van Acker

KU Leuven

Yoran Brondsema

KU Leuven

Phu Phung

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Lieven Desmet

KU Leuven

Frank Piessens

KU Leuven

Proceedings of ACSAC'2012 Annual Computer Security Applications Conference, Orlando, 3-7 December 2012

Vol. 1 1-10
978-1-4503-1312-4 (ISBN)

Subject Categories

Computer Engineering

Software Engineering

Areas of Advance

Information and Communication Technology





More information

Latest update