JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript

  • Steven Van AckerEmail author
  • Andrei Sabelfeld
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9808)


Today’s web applications rely on the same-origin policy, the primary security policy of the Web, to isolate their web origin from malicious client-side JavaScript.

When an attacker can somehow breach the same-origin policy and execute JavaScript code inside a web application’s origin, he gains full control over all available functionality and data in that web origin.

In the JavaScript sandboxing field, we assume that an attacker has the ability to execute JavaScript code in a web application’s origin. The goal of JavaScript sandboxing is to isolate the execution of certain JavaScript code and restrict what functionality and data is available to it.

In this paper we discuss proposed JavaScript sandboxing systems divided into three categories: JavaScript sandboxing through JavaScript subsets and rewriting systems, JavaScript sandboxing using browser modifications and JavaScript sandboxing without browser modifications.


Policy Language Object View Cascade Style Sheets Document Object Model Document Object Model Tree 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was funded by the European Community under the ProSecuToR and WebSand projects, the Swedish research agencies SSF and VR.


  1. 1.
  2. 2.
    JSLint, The JavaScript Code Quality Tool.
  3. 3.
  4. 4.
  5. 5.
    QuirksMode - for all your browser quirks.
  6. 6.
    Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 1–10. ACM (2012)Google Scholar
  7. 7.
    Akhawe, D., Saxena, P., Song, D.: Privilege separation in HTML5 applications. In: Kohno, T. (ed.) Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8–10, 2012, pp. 429–444. USENIX Association (2012).
  8. 8.
    Ustinova, A.: Developers compete at Facebook conference, 23 July 2008.
  9. 9.
    Apache OpenOffice: Writing Office Scripts in JavaScript.
  10. 10.
    Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009). CrossRefGoogle Scholar
  11. 11.
  12. 12.
    BuiltWith: jQuery Usage Statistics.
  13. 13.
    Cao, Y., Li, Z., Rastogi, V., Chen, Y., Wen, X.: Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security. In: Youm, H.Y., Won, Y. (eds.) 7th ACM Symposium on Information, Compuer and Communications Security, ASIACCS 2012, Seoul, Korea, May 2–4, 2012, pp. 8–9. ACM (2012).
  14. 14.
    Cassou, D., Ducasse, S., Petton, N.: SafeJS: Hermetic Sandboxing for JavaScript (2013)Google Scholar
  15. 15.
    Charles Severance: JavaScript: Designing a Language in 10 Days.
  16. 16.
    Crockford, D.: ADsafe - making JavaScript safe for advertising.
  17. 17.
    De Ryck, P., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards. Technical report. In: Hogben, G., Dekker, M. (eds.) European Network and Information Security Agency (ENISA), July 2011.
  18. 18.
    Dio Synodinos: ECMAScript 5, Caja and Retrofitting Security, with Mark S. Miller.
  19. 19.
    Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: comprehensive and flexible confinement of javascript-based advertisements. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 297–306. ACM, New York (2011).
  20. 20.
  21. 21.
    Espruino: Espruino - JavaScript for Microcontrollers.
  22. 22.
    Facebook: Facebook Expands Power of Platform Across the Web and Around the World, 23 July 2008.
  23. 23.
    Facebook: Facebook Platform Migrations (Older).
  24. 24.
    Facebook: Facebook Unveils Platform for Developers of Social Applications,24 May 2007.
  25. 25.
    Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure javascript subsets. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February - 3rd March 2010. The Internet Society (2010).
  26. 26.
    Fran Larkin: Platform Updates: Change Log, Third Party IDs and More, 18 December 2010.
  27. 27.
  28. 28.
    Google: V8 JavaScript Engine.
  29. 29.
    Google Chrome Developers: Chrome - What are extensions?
  30. 30.
    Google Chrome Developers: Native Client.
  31. 31.
    Grosskurth, A., Godfrey, M.W.: A case study in architectural analysis: The evolution of the modern web browser. EMSE (2007)Google Scholar
  32. 32.
    Guarnieri, S., Livshits, V.B.: GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code. In: Monrose, F. (ed.) 18th USENIX Security Symposium, Montreal, Canada, August 10–14, 2009, Proceedings, pp. 151–168. USENIX Association (2009).
  33. 33.
    Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of javascript. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  34. 34.
    Heiderich, M., Frosch, T., Holz, T.: IceShield: detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  35. 35.
    Ingram, L., Walfish, M.: Treehouse: javascript sandboxes to help web developers help themselves. In: Heiser, G., Hsieh, W.C. (eds.) 2012 USENIX Annual Technical Conference, Boston, MA, USA, June 13–15, 2012, pp. 153–164. USENIX Association (2012).
  36. 36.
    Jacaranda: Jacaranda.
  37. 37.
    Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: ESCUDO: a fine-grained protection model for web browsers. In: 2010 International Conference on Distributed Computing Systems, ICDCS 2010, Genova, Italy, June 21–25, 2010, pp. 231–240. IEEE Computer Society (2010).
  38. 38.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM, New York (2007).
  39. 39.
    Joiner, R., Reps, T.W., Jha, S., Dhawan, M., Ganapathy, V.: Efficient runtime-enforcement techniques for policy weaving. In: Cheung, S., Orso, A., Storey, M.D. (eds.) Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (FSE-22), Hong Kong, China, November 16–22, 2014, pp. 224–234. ACM (2014).
  40. 40.
  41. 41.
    JSLint Error Explanations: Implied eval is evil. Pass a function instead of a string.
  42. 42.
  43. 43.
    Dignan, L.: Developing a PayPal App, 20 February 2011.
  44. 44.
    Dignan, L.: MySpace: Caja JavaScript scrubbing ready for prime time.
  45. 45.
    Luo, T., Du, W.: Contego: capability-based access control for web browsers - (short paper). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 231–238. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  46. 46.
    Maffeis, S., Mitchell, J.C., Taly, A.: Isolating javascript with filters, rewriting, and wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  47. 47.
    Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA, July 8–10, 2009, pp. 77–91. IEEE Computer Society (2009).
  48. 48.
    Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 239–255. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  49. 49.
    Maxthon: Maxthon Cloud Browser.
  50. 50.
    Meyerovich, L.A., Felt, A.P., Miller, M.S.: Object views: fine-grained sharing in browsers (2010).
  51. 51.
    Meyerovich, L.A., Livshits, V.B.: ConScript: specifying and enforcing fine-grained security policies for javascript in the browser. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, 16–19 May 2010, Berleley/Oakland, California, USA, pp. 481–496. IEEE Computer Society (2010).
  52. 52.
    Mickens, J.: Pivot: fast, synchronous mashup isolation using generator chains. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18–21, 2014. pp. 261–275. IEEE Computer Society (2014).
  53. 53.
    Mickens, J., Finifter, M.: Jigsaw: rfficient, low-effort mashup isolation. In: Presented as part of the 3rd USENIX Conference on Web Application Development (WebApps 2012), pp. 13–25. USENIX, Boston (2012).
  54. 54.
    Microsoft: Internet Explorer Architecture.
  55. 55.
    Microsoft: Microsoft Internet Security and Acceleration (ISA) Server 2004.
  56. 56.
    Microsoft: Microsoft Security Bulletin MS04-040 - Critical.
  57. 57.
    Microsoft: Mitigating Cross-site Scripting With HTTP-only Cookies.
  58. 58.
    Microsoft Live Labs: Live Labs Websandbox.
  59. 59.
    Mihai Bazon: UglifyJS.
  60. 60.
    Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008Google Scholar
  61. 61.
    Miller, M.S.: Robust composition: towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD, USA (2006). aAI3245526Google Scholar
  62. 62.
    MITRE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition.
  63. 63.
    MongoDB, Inc.: MongoDB.
  64. 64.
  65. 65.
  66. 66.
  67. 67.
    Mozilla The Narcissus meta-circular JavaScript interpreter.
  68. 68.
  69. 69.
    Namita Gupta: Facebook Platform Roadmap Update, 19 August 2010.
  70. 70.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) the ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, October 16–18, 2012, pp. 736–747. ACM (2012).
  71. 71.
    Opera: Opera Browser.
  72. 72.
    Patil, K., Dong, X., Li, X., Liang, Z., Jiang, X.: Towards fine-grained access control in javascript contexts. In: 2011 International Conference on Distributed Computing Systems, ICDCS 2011, Minneapolis, Minnesota, USA, June 20–24, 2011, pp. 720–729. IEEE Computer Society (2011).
  73. 73.
    Phung, P.H., Desmet, L.: A two-tier sandbox architecture for untrusted JavaScript. In: JSTools 2012, Proceedings of the Workshop on JavaScript Tools, Beijing, 13 June 2012, pp. 1–10 (2012)Google Scholar
  74. 74.
    Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 47–60. ACM, New York (2009).
  75. 75.
    Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: type-based verification of javascript sandboxing. In: 20th USENIX Security Symposium, San Francisco, CA, USA, August 8–12, 2011, Proceedings. USENIX Association (2011).
  76. 76.
    Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. In: OSDI 2006: Proceedings of the 7th symposium on Operating Systems Design and Implementation, pp. 61–74. USENIX Association, Berkeley (2006).
  77. 77.
    Richards, G., Hammer, C., Burg, B., Vitek, J.: The eval that men do: large-scale study of the use of eval in javascript applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  78. 78.
  79. 79.
    Sandra Liu Huang: Platform Updates: Promotion Policies, Facepile and More, 4 December 2010.
  80. 80.
  81. 81.
    Stack Exchange (Jasvir Nagra): Why hasn’t Caja been popular?
  82. 82.
    Stack Overflow (Kevin Reid): Uses of Google Caja.
  83. 83.
    Taly, A., Erlingsson, U., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated analysis of security-critical javascript APIs. In: IEEE Symposium on Security and Privacy, pp. 363–378 (2011)Google Scholar
  84. 84.
    Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium, Washington, DC, USA, August 11–13, 2010, Proceedings, pp. 371–388. USENIX Association (2010).
  85. 85.
    Ter Louw, M., Phung, P.H., Krishnamurti, R., Venkatakrishnan, V.N.: SafeScript: javascript transformation for policy enforcement. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 67–83. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  86. 86.
    Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers (2009).
  87. 87.
    Tessel: Tessel 2.
  88. 88.
  89. 89.
    Troy Hunt: How I got XSS’d by my ad network.
  90. 90.
    Twitter: How to embed Twitter timelines on your website.
  91. 91.
    Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Zakon, R.H., McDermott, J.P., Locasto, M.E. (eds.) Twenty-Seventh Annual Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, 5–9 December 2011, pp. 307–316. ACM (2011).
  92. 92.
    W3C: Same Origin Policy - Web Security.
  93. 93.
    W3C: W3C - Web Workers.
  94. 94.
    W3C: W3C Standards and drafts - Cross-Origin Resource Sharing.
  95. 95.
    W3C: XML Path Language (XPath) 2.0.
  96. 96.
    W3Techs: Usage of JavaScript for websites.
  97. 97.
    Webkit Blog - David Carson: Android uses WebKit.
  98. 98.
  99. 99.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2007, pp. 237–249. ACM, New York (2007).

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations