Information-flow security for JavaScript and its APIs
Journal article, 2016

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user's sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties.

reference monitoring

information flow



Web application security


Daniel Hedin

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Luciano Bello

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Journal of Computer Security

0926-227X (ISSN)

Vol. 24 2 181-234

Areas of Advance

Information and Communication Technology


Basic sciences

Subject Categories

Software Engineering



More information