CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

Leo A. Meyerovich Benjamin Livshits University of California, Berkeley Microsoft Research [email protected] [email protected]

Abstract—Much of the power of modern Web comes from the instance, an included library might perform a prototype ability of a Web page to combine content and JavaScript code hijacking attack [1], drastically redefining the behavior of from disparate servers on the same page. While the ability the remainder of the JavaScript code on the page. to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion CONSCRIPT, a browser-based aspect system for security effectively opens the hosting site up for attacks and poor proposed in this paper, focuses on empowering the hosting programming practices within every JavaScript library or API page to carefully constrain the code it executes. For ex- it chooses to use. In other words, expressiveness comes at the ample, the hosting page may restrict the use of eval to price of losing control. To regain the control, it is therefore JSON only, restrict cross-frame communication or cross- valuable to provide means for the hosting page to restrict the behavior of the code that the page may include. domain requests, allow only white-listed script to be loaded, This paper presents CONSCRIPT1, a client-side advice im- limit popup window construction, limit JavaScript access to plementation for security, built on top of Internet Explorer 8. cookies, disallow dynamic IFRAME creations, etc. These CONSCRIPT allows the hosting page to express fine-grained constraints take the form of fine-grained policies expressed application-specific security policies that are enforced at run- as JavaScript aspects that the hosting page can use to change time. In addition to presenting 17 widely-ranging security and reliability policies that CONSCRIPT enables, we also show how the behavior of subsequent code. In CONSCRIPT, this kind policies can be generated automatically through static analysis of behavior augmentation is done via the script include tag of server-side code or runtime analysis of client-side code. We to provide a policy as follows: also present a type system that helps ensure correctness of CONSCRIPT policies.