Paper in proceedings, 2012
The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry
risks, as the included scripts operate with the privileges of the including website.
modifications: the sandboxing framework is implemented in
that use it. Enforcement is done entirely at the client side:
JSand enforces a server-specified policy on included scripts
without requiring server-side ﬁltering or rewriting of scripts.
Most importantly, JSand is complete: access to all resources
is mediated by the sandbox.
We describe the design and implementation of JSand, and
we show that it is secure, backwards compatible, and that
it performs sufficiently well.
Web Application Security