Sandboxing Untrusted Javascript a Dissertation Submitted to the Department of Computer Science and the Committee on Graduate Studies of Stanford University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy

Many contemporary Web sites incorporate third-party content in the form of advertisements, social-networking widgets, and maps. A number of sites like Facebook and Twitter also allow users to post comments that are then served to others, or allow users to add their own applications to the site. Such third-party content often comprises of executable code, commonly written in JavaScript, that runs together with Web site’s code in the user’s browser. While such interweaving of codes from multiple sources often enhances the user experience, the Web site may not always trust the source of the third-party code. Moreover due to proliferation of ad-networks and content distribution networks, the true source of content may be hidden behind multiple levels of indirection. With the rapid rise in e-commerce and social interaction on the Web, there is a vast amount of sensitive user data displayed on Web pages today — typically in the form of user-profile information, pictures, comments, credit card numbers, etc. Unless suitable restrictions are imposed, malicious third-party code executing within a Web page can easily steal or alter such sensitive information and therefore pose a significant security threat. For instance, a malicious advertisement on a page with a login form could use JavaScript to read login credentials from the form and send them to a remote server. Even worse, it could use JavaScript to define a key-logger that surreptitiously logs all user key presses and then sends this data to a (malicious) remote server. Websites presently combat this threat by filtering and rewriting untrusted JavaScript before placing it on the page. There are a number of such JavaScript “sandboxing” tools, including Facebook FBJS, Yahoo! ADSafe, Google Caja, and Microsoft