Survey on JavaScript security policies and their enforcement mechanisms in a web browser

摘要

We observe a rapid growth of web-based applications every day. These applications are executed in the web browser, where they interact with a variety of information belonging to the user. The dynamism of web applications is provided by the use of web scripts, and in particular JavaScript, that accesses this information through a browser-provided set of APIs. Unfortunately, some of the scripts use the given functionality in malicious ways. Over the last decade, a substantial number of web-based attacks that violate user's privacy and security have been detected. For this reason, web script security has been an active area of research. Both computer security researchers and web developers have proposed a number of techniques to enforce different security and privacy policies in the web browser. Among all the works on web browser security, we survey dynamic techniques based on runtime monitoring as well as secure information flow techniques. We then combine and compare the security and privacy policies they enforce, and the way the enforcement is done. We target two groups of readers: 1) for computer security researchers we propose an overview of security-relevant components of the web browser and the security policies based on these components, we also show how well-known enforcement techniques are applied in a web browser setting; 2) for web developers we propose a classification of security policies, comparison of existing enforcement mechanisms proposed in the literature and explanation of formal guarantees that they provide.