Transcript: Speculative Execution of Untrusted JavaScript Code

Transcript is a system that enhances JavaScript with support for speculative execution. It introduces a new transaction construct, which hosting Web applications can use to demarcate regions that contain untrusted guest code. Actions performed within a transaction are logged and considered speculative until they are examined by the host and committed. Uncommitted actions simply do not take and cannot affect the host in any way. Transcript therefore provides hosting Web applications with powerful mechanisms to mediate the actions of untrusted guests and also cleanly recover from the effects of security-violating guest code. This paper describes the design of Transcript and its implementation in Firefox. Our exposition focuses on the novel features introduced by Transcript to support transactions, including a suspend/resume mechanism for JavaScript and support for speculative DOM updates. Our evaluation presents case studies showing that Transcript can be used to enforce powerful security policies on untrusted JavaScript code, and reports its performance on real-world applications and microbenchmarks.