Sandboxing Untrusted JavaScript


March 19, 2012


Ankur Taly


Stanford University


Most websites today incorporate untrusted JavaScript content in the form of advertisements, maps and social networking gadgets. Untrusted JavaScript, if embedded directly, has complete access to the page’s Document Object Model(DOM) and can therefore steal cookies, navigate the page, maliciously alter the page or cause other harm. In order to combat the above threat, websites use browser-based or language-based methods for sandboxing untrusted JavaScript. In this talk, I will present language-based techniques for sandboxing untrusted JavaScript, using Facebook FBJS, Yahoo! ADSafe and Google Caja as motivating examples. In particular, I will present provably-correct techniques for completely isolating untrusted JavaScript from security-critical hosting page resources, and for providing mediated access to security-critical hosting page resources. I will also present security vulnerabilities that we found in the Facebook FBJS and Yahoo! ADSafe sandboxing mechanisms during the course of this work, along with principled approaches to fixing those vulnerabilities. The talk will span JavaScript based on 3rd edition of the ECMA262 specification and also the recently released “strict mode” of JavaScript based on 5th edition of the ECMA262 specification.

This is joint work with John C. Mitchell, Sergio Maffeis, Ulfar Erlingsson, Mark S. Miller and Jasvir Nagra


Ankur Taly

Ankur Taly is a 5th year Ph.D candidate in the Department of Computer Science at Stanford University, working with Prof. John C. Mitchell. His research interests include web security, programming languages and formal methods. He has been a Google PhD fellow in language security since June 2010. Prior to joining Stanford, Ankur completed his B.Tech in Computer Science from Indian Institute of Technology, Bombay in 2007.