ALPHA
Widget Structure

DOM API

Roman Example
ADsafety: Type-Based Verification of JavaScript Sandboxing

Language-Based Isolation of Untrusted JavaScript

Automated Analysis of Security-Critical JavaScript APIs

Preventing Capability Leaks in Secure JavaScript Subsets

Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense

Making JavaScript Safe for Advertising

JavaScript, the programming language of the web browser, is not a secure language. Any script in a page has intimate access to all of the information and relationships of the page. This makes use of mashups and scripted advertising unacceptably risky.

ADsafe makes it safe to put guest code (such as third party scripted advertising or widgets) on a web page. ADsafe defines a subset of JavaScript that is powerful enough to allow guest code to perform valuable interactions, while at the same time preventing malicious or accidental damage or intrusion. The ADsafe subset can be verified mechanically by tools like JSLint so that no human inspection is necessary to review guest code for safety. The ADsafe subset also enforces good coding practices, increasing the likelihood that guest code will run correctly.

The ADsafe subset blocks a script from accessing any global variables or from directly accessing the Document Object Model or any of its elements. Instead, ADsafe gives the script access to an ADSAFE object that is provided by the page's server, giving indirect access to the guest code's DOM elements and other page services.

ADsafe does not modify scripts. It will not make scripts bigger or slower or alter their behavior. ADsafe makes it possible to quickly and reliably determine that script is safe for placement on a site's pages.

And because ADsafe verification is not destructive, it can be performed at every stage of the deployment pipeline, or even after delivery as part of compliance testing.

How ADsafe Works

ADsafe removes features from JavaScript that are either unsafe or grant uncontrolled access to unsafe browser components or that contribute to poor code quality. The removed features include

The good features of the language, including most of the methods of the standard types, are available to guest code. ADsafe provides in place of the excluded features an ADSAFE object that contains methods that restore the functionality in a safe way. For example, ADSAFE.get(object, key) and ADSAFE.set(object, key, value) take the place of the subscript operator.

Restrictions

All files and components must be encoded in UTF-8 and be properly identified as such.

Untrusted code will be able to indirectly call the window.onerror handler. The handler must be coded such that being called by untrusted code will cause no breach.

None of the prototypes of the built-in types may be augmented with methods that can breach ADsafe's containment.

All of the HTML id attributes defined on the page must be unique.

The ADSAFE Object

The ADSAFE object provides the base capabilities to the widget. The methods in the ADSAFE object are run-only; they cannot be copied or replaced.

Name Description
create(object) Create a new empty object that inherits from object.
get(object, name) Get the value of the object's name property.
go(id, function) Start the widget. The id string must match the id of the widget's div.
has(object, name) true if the object has an own property with that name.
id(id) Identify the widget. The id string must match the id of the widget's div.
isArray(value) Returns true if the value is an array.
keys(object) Produce an array of keys from the own enumerable properties of an object.
later(function, milliseconds) Call a function in the future.
lib(name, function) Register an ADsafe library.
log(string) Post the string to the browser's log. On some browsers it is necessary to start the debugger and select the console tab to see the log. This method is a debugging convenience.
remove(object, name) Remove a property from the object.
set(object, name, value) Set a property's value on the object.