A two-tier sandbox architecture for untrusted JavaScript
Paper i proceeding, 2012

The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third-party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor. In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine-grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sandbox that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, without imposing restrictions on the expressiveness of the policies. Our proposed architecture improves upon the state-of-the-art as it does not depend on browser modification nor preprocessing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and applied it to a representative online advertisement case study to validate the feasibility and security of the proposed architecture.

Web application security

Web mashups

Fine-grained security policy



Phu Phung

Chalmers, Data- och informationsteknik, Programvaruteknik

Lieven Desmet

KU Leuven

JSTools '12 Proceedings of the Workshop on JavaScript Tools, Beijing,13 June, 2012

978-1-4503-1274-5 (ISBN)


Informations- och kommunikationsteknik


Datavetenskap (datalogi)





Mer information

Senast uppdaterat