JavaScript, the programming language of the web browser, is not a secure language. Any script in a page has intimate access to all of the information and relationships of the page. This makes use of mashups and scripted advertising unacceptably risky.
ADsafe makes it safe to put guest code (such as third party scripted advertising or widgets) on a web page. ADsafe defines a subset of JavaScript that is powerful enough to allow guest code to perform valuable interactions, while at the same time preventing malicious or accidental damage or intrusion. The ADsafe subset can be verified mechanically by tools like JSLint so that no human inspection is necessary to review guest code for safety. The ADsafe subset also enforces good coding practices, increasing the likelihood that guest code will run correctly.
The ADsafe subset blocks a script from accessing any global
variables or from directly accessing the Document Object Model or
any of its elements. Instead, ADsafe gives the script access
to an ADSAFE
object that is provided by the page's
server, giving indirect access to the guest code's DOM elements
and other page services.
ADsafe does not modify scripts. It will not make scripts bigger or slower or alter their behavior. ADsafe makes it possible to quickly and reliably determine that script is safe for placement on a site's pages.
And because ADsafe verification is not destructive, it can be performed at every stage of the deployment pipeline, or even after delivery as part of compliance testing.
ADsafe removes features from JavaScript that are either unsafe or grant uncontrolled access to unsafe browser components or that contribute to poor code quality. The removed features include
Array
,
Boolean
, Number
,
String
,
and Math
is allowed.this
this
is
bound to the global object. Since ADsafe needs to restrict
access to the global object, it must prohibit the use of this
in guest code.arguments
arguments
pseudo-array is not allowed.eval
eval
function provides access to the global
object.with
statement
with
statement modifies the scope chain,
making static analysis impossible.arguments callee
caller constructor eval prototype stack unwatch valueOf watch
.
notation
is prohibited._
.
_
.[ ]
subscript operator except when the subscript is
a numeric literal or string literal or an expression that must produce a number value. So expressions like a[i]
are disallowed because we cannot statically determine that i
is not one of the dangerous property names. But a[+i]
is allowed, because +i
will always produce a number.
ADSAFE.get
and ADSAFE.set
methods instead. Date
and Math.random
The good features of the language, including most of the methods of
the standard types, are available to guest code. ADsafe provides
in place of the excluded features an ADSAFE
object that
contains methods that restore the functionality in a safe way. For example,
ADSAFE.get(
object,
key)
and ADSAFE.set(
object,
key,
value)
take the place of the subscript operator.
All files and components must be encoded in UTF-8 and be properly identified as such.
Untrusted code will be able to indirectly call the window.onerror
handler. The handler must be coded such that being called by untrusted
code will cause no breach.
None of the prototypes of the built-in types may be augmented with methods that can breach ADsafe's containment.
All of the HTML id
attributes defined on the page must
be unique.
ADSAFE
ObjectThe ADSAFE
object provides the base capabilities to the
widget. The methods in the ADSAFE
object are run-only;
they cannot be copied or replaced.
Name | Description |
---|---|
create( object) |
Create a new empty object that inherits from object. |
get( object,
name) |
Get the value of the object's name property. |
go( id, function) |
Start the widget. The id
string must match the id of the widget's div . |
has( object,
name) |
true if the object has an own property with that name. |
id( id) |
Identify the widget. The id
string must match the id of the widget's div . |
isArray( value) |
Returns true if the value is an array. |
keys( object) |
Produce an array of keys from the own enumerable properties of an object. |
later( function, milliseconds) |
Call a function in the future. |
lib( name, function) |
Register an ADsafe library. |
log( string) |
Post the string to the browser's log. On some browsers it is necessary to start the debugger and select the console tab to see the log. This method is a debugging convenience. |
remove( object, name) |
Remove a property from the object. |
set( object, name,
value) |
Set a property's value on the object. |