A Formally Verified Model of Web Components

  • Achim D. BruckerEmail author
  • Michael Herzberg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12018)


The trend towards ever more complex client-side web applications is unstoppable. Compared to traditional software development, client-side web development lacks a well-established component model, i. e., a method for easily and safely reusing already developed functionality. To address this issue, the web community started to adopt shadow trees as part of the Document Object Model (DOM). Shadow trees allow developers to “partition” a DOM instance into parts that should be safely separated, e. g., code modifying one part should not unintentionally affect other parts of the DOM.

While shadow trees provide the technical basis for defining web components, the DOM standard neither defines the concept of web components nor specifies the safety properties that web components should guarantee. Consequently, the standard also does not discuss how or even if the methods for modifying the DOM respect component boundaries.

In this paper, we present a formally verified model of web components and define safety properties which ensure that different web components can only interact with each other using well-defined interfaces. Moreover, our verification of the application programming interface (API) of the DOM revealed numerous invariants that implementations of the DOM API need to preserve to ensure the integrity of components.


Web component Shadow tree DOM Isabelle/HOL 


  1. 1.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: IEEE Computer Security Foundations Symposium (CSF), pp. 290–304. IEEE Computer Society (2010).
  2. 2.
    Andrews, P.B.: Introduction to Mathematical Logic and Type Theory: To Truth through Proof, 2nd edn. Kluwer Academic Publishers, Dordrecht (2002)CrossRefGoogle Scholar
  3. 3.
    Bidelman, E.: Shadow DOM v1: self-contained web components (2017).
  4. 4.
    Bohannon, A., Pierce, B.C.: Featherweight firefox: formalizing the core of a web browser. In: Usenix Web Application Development (WebApps) (2010)Google Scholar
  5. 5.
    Brucker, A.D.: An interactive proof environment for object-oriented specifications. Ph.D. thesis, ETH Zurich (2007). ETH Dissertation No. 17097Google Scholar
  6. 6.
    Brucker, A.D., Herzberg, M.: The core DOM. Archive of formal proofs (2018). Formal proof development
  7. 7.
    Brucker, A.D., Herzberg, M.: A formal semantics of the Core DOM in Isabelle/HOL. In: Champin, P., Gandon, F.L., Lalmas, M., Ipeirotis, P.G. (eds.) The 2018 Web Conference Companion (WWW), pp. 741–749. ACM Press (2018).
  8. 8.
    Brucker, A.D., Wolff, B.: An extensible encoding of object-oriented data models in HOL. J. Autom. Reasoning 41, 219–249 (2008). Scholar
  9. 9.
    Church, A.: A formulation of the simple theory of types. J. Symbolic Logic 5(2), 56–68 (1940)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Clarke, D., Östlund, J., Sergey, I., Wrigstad, T.: Ownership types: a survey. In: Clarke, D., Noble, J., Wrigstad, T. (eds.) Aliasing in Object-Oriented Programming. Types, Analysis and Verification. LNCS, vol. 7850, pp. 15–58. Springer, Heidelberg (2013). Scholar
  11. 11.
    Freyberger, M., He, W., Akhawe, D., Mazurek, M.L., Mittal, P.: Cracking shadowcrypt: exploring the limitations of secure I/O systems in internet browsers. In: PoPETs, vol. 2018, no. 2, pp. 47–63 (2018).
  12. 12.
    Gardner, P., Smith, G., Wheelhouse, M.J., Zarfaty, U.: DOM: towards a formal specification. In: Programming Language Technologies for XML (PLAN-X). ACM (2008)Google Scholar
  13. 13.
    Guha, A., Fredrikson, M., Livshits, B., Swam, N.: Verified security for browser extensions. In: IEEE Symposium on Security and Privacy, pp. 115–130 (2011).
  14. 14.
    Jang, D., Tatlock, Z., Lerner, S.: Establishing browser security guarantees through formal shim verification. In: Kohno, T. (ed.) USENIX, pp. 113–128. USENIX (2012)Google Scholar
  15. 15.
    Jensen, S.H., Madsen, M., Møller, A.: Modeling the HTML DOM and browser API in static analysis of JavaScript web applications. In: ESEC/FSE, pp. 59–69. ACM (2011).
  16. 16.
    Légaré, J., Sumi, R., Aiello, W.: Beeswax: a platform for private web apps. In: PoPETs, vol. 2016, no. 3, pp. 24–40 (2016)Google Scholar
  17. 17.
    Nipkow, T., Wenzel, M., Paulson, L.C. (eds.): Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002). Scholar
  18. 18.
    Poetzsch-Heffter, A., Geilmann, K., Schäfer, J.: Infering ownership types for encapsulated object-oriented program components. In: Reps, T., Sagiv, M., Bauer, J. (eds.) Program Analysis and Compilation, Theory and Practice. LNCS, vol. 4444, pp. 120–144. Springer, Heidelberg (2007). Scholar
  19. 19.
    Raad, A., Santos, J.F., Gardner, P.: DOM: specification and client reasoning. In: Igarashi, A. (ed.) APLAS 2016. LNCS, vol. 10017, pp. 401–422. Springer, Cham (2016). Scholar
  20. 20.
    Smith, G.D.: Local reasoning about web programs. Ph.D. thesis, Imperial College London, London, UK (2011)Google Scholar
  21. 21.
    Sternagel, C., Thiemann, R.: XML. Archive of formal proofs (2014). Formal proof development
  22. 22.
  23. 23.
    W3C: Shadow DOM (2018). Last Updated 1 March 2018
  24. 24.
    WHATWG: DOM - living standard (2019). Last Updated 11 February 2019
  25. 25.
    WHATWG: HTML - living standard (2019). Last Updated 19 February 2019

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of ExeterExeterUK
  2. 2.Department of Computer ScienceThe University of SheffieldSheffieldUK

Personalised recommendations