WebPol: Fine-Grained Information Flow Policies for Web Browsers

  • Abhishek Bichhawat
  • Vineet Rajani
  • Jinank Jain
  • Deepak Garg
  • Christian Hammer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


In the standard web browser programming model, third-party scripts included in an application execute with the same privilege as the application’s own code. This leaves the application’s confidential data vulnerable to theft and leakage by malicious code and inadvertent bugs in the third-party scripts. Security mechanisms in modern browsers (the same-origin policy, cross-origin resource sharing and content security policies) are too coarse to suit this programming model. All these mechanisms (and their extensions) describe whether or not a script can access certain data, whereas the meaningful requirement is to allow untrusted scripts access to confidential data that they need and to prevent the scripts from leaking data on the side. Motivated by this gap, we propose WebPol, a policy mechanism that allows a website developer to include fine-grained policies on confidential application data in the familiar syntax of the JavaScript programming language. The policies can be associated with any webpage element, and specify what aspects of the element can be accessed by which third-party domains. A script can access data that the policy allows it to, but it cannot pass the data (or data derived from it) to other scripts or remote hosts in contravention of the policy. To specify the policies, we expose a small set of new native APIs in JavaScript. Our policies can be enforced using any of the numerous existing proposals for information flow tracking in web browsers. We have integrated our policies into one such proposal that we use to evaluate performance overheads and to test our examples.



We thank several anonymous reviewers for their excellent feedback. This work was funded in part by the Deutsche Forschungsgemeinschaft (DFG) grant “Information Flow Control for Browser Clients” under the priority program “Reliably Secure Software Systems” (RS\(^3\)).


  1. 1.
    Facebook. FBJS. Accessed 19 June 2017
  2. 2.
    Google Caja: A source-to-source translator for securing JavaScript-based web content. Accessed 19 June 2017
  3. 3.
    Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party javascript without browser modifications. In: Proceedings of 28th Annual Computer Security Applications Conference (ACSAC), pp. 1–10. ACM, New York (2012)Google Scholar
  4. 4.
    Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceedings 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pp. 165–178. ACM, New York (2012)Google Scholar
  5. 5.
    Barth, A.: The web origin concept. Accessed 19 June 2017
  6. 6.
    Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: Proceedings of ISOC Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  7. 7.
    Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in WebKit’s javascript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54792-8_9 CrossRefGoogle Scholar
  8. 8.
    Bichhawat, A., Rajani, V., Jain, J., Garg, D., Hammer, C.: WebPol: fine-grained information flow policies for web browsers (Full version) (2017).
  9. 9.
    Chudnov, A., Naumann, D.A.: Inlined information flow monitoring for javascript. In: Proceedings 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 629–643. ACM, New York (2015)Google Scholar
  10. 10.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: Proceedings of 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 50–62. ACM, New York (2009)Google Scholar
  11. 11.
    Crockford, D.: ADsafe. Accessed 19 June 2017
  12. 12.
    De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of 19th ACM Conference on Computer and Communications Security (CCS), pp. 748–759. ACM, New York (2012)Google Scholar
  13. 13.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: Proceedings of 31st IEEE Symposium on Security and Privacy (SP), pp. 109–124. IEEE Computer Society, Washington, DC (2010)Google Scholar
  14. 14.
    Dong, X., Chen, Z., Siadati, H., Tople, S., Saxena, P., Liang, Z.: Protecting sensitive web content from client-side vulnerabilities with CRYPTONS. In: Proceedings of 20th ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1311–1324. ACM, New York (2013)Google Scholar
  15. 15.
    Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable javascript. In: Proceedings of 2011 International Symposium on Software Testing and Analysis (ISSTA), pp. 177–187. ACM, New York (2011)Google Scholar
  16. 16.
    Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in javascript and its APIs. In: Proceedings of 29th Annual ACM Symposium on Applied Computing (SAC), pp. 1663–1671. ACM, New York (2014)Google Scholar
  17. 17.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of javascript. In: Proceedings of IEEE 25th Computer Security Foundations Symposium (CSF), pp. 3–18. IEEE Computer Society, Washington, DC (2012)Google Scholar
  18. 18.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in javascript web applications. In: Proceedings of 17th ACM Conference on Computer and Communications Security (CCS), pp. 270–283. ACM, New York (2010)Google Scholar
  19. 19.
    Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for javascript. In: Proceedings of 1st ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients (PLASTIC), pp. 9–18. ACM, New York (2011)Google Scholar
  20. 20.
    van Kesteren, A.: Cross-origin resource sharing. Accessed 19 June 2017
  21. 21.
    Li, Z., Zhang, K., Wang, X.: Mash-if: practical information-flow control within client-side mashups. In: Proceedings of 40th Annual IEEE/IFIP International Conference on Dependable Systems Networks (DSN), pp. 251–260 (2010)Google Scholar
  22. 22.
    Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: practical enforcement of confidentiality and integrity policies on web advertisements. In: Proceedings of 19th USENIX Conference on Security (USENIX Security), pp. 24–40. USENIX Association, Berkeley (2010)Google Scholar
  23. 23.
    Meyerovich, L.A., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for javascript in the browser. In: Proceedings of 31st IEEE Symposium on Security and Privacy (SP), pp. 481–496. IEEE Computer Society, Washington, DC (2010)Google Scholar
  24. 24.
    Miller, M.: Robust composition: towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University (2006)Google Scholar
  25. 25.
    Rafnsson, W., Sabelfeld, A.: Secure multi-execution: fine-grained, declassification-aware, and transparent. In: Proceedings of IEEE 26th Computer Security Foundations Symposium (CSF), pp. 33–48. IEEE Computer Society, Washington, DC (2013)Google Scholar
  26. 26.
    Rajani, V., Bichhawat, A., Garg, D., Hammer, C.: Information flow control for event handling and the DOM in web browsers. In: Proceedings of IEEE 28th Computer Security Foundations Symposium (CSF), pp. 366–379. IEEE Computer Society, Washington, DC (2015)Google Scholar
  27. 27.
    Stefan, D., Russo, A., Mazières, D., Mitchell, J.C.: Disjunction category labels. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 223–239. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29615-4_16 CrossRefGoogle Scholar
  28. 28.
    Stefan, D., Yang, E.Z., Marchenko, P., Russo, A., Herman, D., Karp, B., Mazières, D.: Protecting users by confining javascript with COWL. In: Proceedings of 11th USENIX Conference on Operating Systems Design and Implementation (OSDI), pp. 131–146. USENIX Association, Berkeley, CA, USA (2014)Google Scholar
  29. 29.
    Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), pp. 307–316. ACM, New York (2011)Google Scholar
  30. 30.
    Vanhoef, M., De Groef, W., Devriese, D., Piessens, F., Rezk, T.: Stateful declassification policies for event-driven programs. In: Proceedings of IEEE 27th Computer Security Foundations Symposium (CSF), pp. 293–307. IEEE Computer Society, Washington, DC (2014)Google Scholar
  31. 31.
    West, M.: Content security policy level 3. Accessed 19 June 2017
  32. 32.
    Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: Proceedings of 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pp. 85–96. ACM, New York (2012)Google Scholar
  33. 33.
    Zhou, Y., Evans, D.: Protecting private web content from embedded scripts. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 60–79. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23822-2_4 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Saarland UniversitySaarbrückenGermany
  2. 2.MPI-SWSKaiserslautern, SaarbrückenGermany
  3. 3.ETH ZürichZürichSwitzerland
  4. 4.University of PotsdamPotsdamGermany

Personalised recommendations