Foundations of Security Analysis and Design VIII

Volume 9808 of the series Lecture Notes in Computer Science pp 32-86


JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript

  • Steven Van AckerAffiliated withChalmers University of Technology Email author 
  • , Andrei SabelfeldAffiliated withChalmers University of Technology

* Final gross prices may vary according to local VAT.

Get Access


Today’s web applications rely on the same-origin policy, the primary security policy of the Web, to isolate their web origin from malicious client-side JavaScript.

When an attacker can somehow breach the same-origin policy and execute JavaScript code inside a web application’s origin, he gains full control over all available functionality and data in that web origin.

In the JavaScript sandboxing field, we assume that an attacker has the ability to execute JavaScript code in a web application’s origin. The goal of JavaScript sandboxing is to isolate the execution of certain JavaScript code and restrict what functionality and data is available to it.

In this paper we discuss proposed JavaScript sandboxing systems divided into three categories: JavaScript sandboxing through JavaScript subsets and rewriting systems, JavaScript sandboxing using browser modifications and JavaScript sandboxing without browser modifications.