Transaction-based Sandboxing of JavaScript

by Matthias Keil and Peter Thiemann

Today's JavaScript applications are composed of scripts from different origins that are loaded at run time. As not all of these origins are equally trusted, the execution of these scripts should be isolated from one another. However, some scripts must access the application state and some may be allowed to change it, while preserving the confidentiality and integrity constraints of the application.

This paper presents DecentJS, a language-embedded sandbox for JavaScript. It enables scripts to run in a configurable degree of isolation with fine-grained access control. It provides a transactional scope in which effects are logged for review by the access control policy. After inspection of the log, effects can be committed to the application state or rolled back.

The implementation relies on JavaScript proxies to guarantee full interposition for the full language and for all code, including dynamically loaded scripts and code injected via eval.

Software Download

The DecentJS is provided under the MIT license.

• git clone git://github.com/keil/Sandbox.git
• git clone git://github.com/keil/DecentJS.git

Publications

Research Paper

• Matthias Keil, Peter Thiemann
  
  Transaction-based Sandboxing for JavaScript (Technical Report)
  
  Institute for Computer Science, University of Freiburg
  
  
  
   

Talks

• Matthias Keil
  
  On Contracts, Sandboxes, and Proxies for JavaScript
  
  18. Kolloquium Programmiersprachen und Grundlagen der Programmierung, KPS 2015
  
  Pörtschach am Wörthersee, Österreich, October 5, 2015
  
  
  
   
• Matthias Keil
  
  On Contracts and Sandboxes for JavaScript
  
  Invited talk at the Software Lab, TU Darmstadt
  
  Darmstadt, Germany, August 2015
  
  
  
   

Related Work

• Matthias Keil, Peter Thiemann
  
  TreatJS: Higher-Order Contracts for JavaScript
  
  The European Conference on Object-Oriented Programming, ECOOP 2015
  
  Prague, Czech Republic, July 5-10, 2015
  
  
  
   
• Matthias Keil, Peter Thiemann
  
  TreatJS: Higher-Order Contracts for JavaScripts (Technical Report)
  
  Institute for Computer Science, University of Freiburg
  
  
  
   
• Matthias Keil, Peter Thiemann
  
  Efficient Dynamic Access Analysis Using JavaScript Proxies
  
  Dynamic Languages Symposium 2013, DLS'13
  
  Indianapolis, Indiana, USA, October 28, 2013
  
  
  
   
• Matthias Keil, Peter Thiemann
  
  Efficient Dynamic Access Analysis Using JavaScript Proxies (Technical Report)
  
  Institute for Computer Science, University of Freiburg