Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus...

Building reusable libraries and reliable, maintainable programs requires modular design, yet JavaScript currently provides little support for modularity. In this paper, we present the design of a module system for JavaScript. Our design is currently the basis for the module system in the next version of the JavaScript standard. The design provides a simple model for programmers and supports dev...

Running on billions of today’s computing devices, JavaScript has become a ubiquitous platform for deploying web applications. Unfortunately, an application developer who wishes to include a third-party script must enter into an implicit trust relationship with the thirdparty—granting it unmediated access to its entire application content. In this paper, we present js.js, a JavaScript interprete...

JavaScript is a programming language originally developed for client-side scripting in Web browsers; its use evolved from simple scripts to complex Web applications. It has also found use in mobile applications, server-side network programming, and databases. A number of semantics were developed for the JavaScript language. We are specifically interested in two of them: JSCert and JS. In order ...

Existing approaches to providing security for untrusted JavaScript include isolation of capabilities – a.k.a. sandboxing. Features of the JavaScript language conspire to make this nontrivial, and isolation normally requires complex filtering, transforming and wrapping untrusted code to restrict the code to a manageable subset. The latest JavaScript specification (ECMAScript 5) has been modified...