In the standard web browser programming model, third-party scripts includedin an application execute with the same privilege as the application's owncode. This leaves the application's confidential data vulnerable to theft andleakage by malicious code and inadvertent bugs in the third-party scripts.Security mechanisms in modern browsers (the same-origin policy, cross-originresource sharing and content security policies) are too coarse to suit thisprogramming model. All these mechanisms (and their extensions) describe whetheror not a script can access certain data, whereas the meaningful requirement isto allow untrusted scripts access to confidential data that they need and toprevent the scripts from leaking data on the side. Motivated by this gap, wepropose WebPol, a policy mechanism that allows a website developer to includefine-grained policies on confidential application data in the familiar syntaxof the JavaScript programming language. The policies can be associated with anywebpage element, and specify what aspects of the element can be accessed bywhich third-party domains. A script can access data that the policy allows itto, but it cannot pass the data (or data derived from it) to other scripts orremote hosts in contravention of the policy. To specify the policies, we exposea small set of new native APIs in JavaScript. Our policies can be enforcedusing any of the numerous existing proposals for information flow tracking inweb browsers. We have integrated our policies into one such proposal that weuse to evaluate performance overheads and to test our examples.
展开▼