Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: fc87cee2bf
228 lines (219 sloc) 11.269 kb
<html>
<head>
<title>ADsafe</title>
<style>
h1, p {
color: black;
font-weight: normal;
}
b {
color: darkblue;
font-weight: normal;
}
h1 {
font-size: 120%;
text-align: center;
}
</style>
</head>
<body bgcolor="darkseagreen" text="black">
<div style="float: left; width: 304;">
<img src="adsafe.gif" border="2" width="300" height="147"><br>
<div style="color: dimgray; font-size: 200%; font-family: sans-serif; text-align: center;">ALPHA</div>
<div style="margin-top: 6px; padding: 1em; background-color: lemonchiffon; border: 2px solid black;">
<div> <a href="widget.html">Widget Structure</a></div><hr>
<div> <a href="dom.html">DOM API</a></div><hr>
<div>Sample widgets: <a href="roman.html">Roman</a> <a href="bats.html">Bats</a> <a href="sudoku.html">Sudoku</a> <a href="http://www.JSLint.com/">JSLint</a></div>
</div>
<div style="margin-top: 12px; padding: 1em; background-color: lemonchiffon; border: 2px solid black;">
<div> <a href="http://www.cs.brown.edu/research/plt/dl/adsafety/v1/adsafety.pdf">ADsafety: Type-Based Verification of JavaScript Sandboxing</a></div><hr>
<div> <a href="http://seclab.stanford.edu/websec/jsPapers/csf09-camera-ready.pdf">Language-Based Isolation of Untrusted JavaScript</a></div><hr>
<div> <a href="http://www-cs-students.stanford.edu/~ataly/Papers/sp11.pdf">Automated Analysis of Security-Critical JavaScript APIs</a></div><hr>
<div> <a href="http://www.adambarth.com/papers/2010/finifter-weinberger-barth.pdf">Preventing Capability Leaks in Secure JavaScript Subsets</a></div>
</div>
<div style="padding: 2px; text-align: center;"><a href="http://www.JSLint.com/"><img src="jslint.gif" alt="JSLint" width="32" height="17" border="0"></a> <a href="http://waterken.com/"><img src="w.gif" alt="Waterken" width="16" height="16" border="0"></a></div>
</div>
<div style="margin-left: 310px; padding: 1em; background-color: lemonchiffon; border: 2px solid black;">
<h1>Making JavaScript Safe for Advertising.</h1>
<p>JavaScript, the programming language of the web browser, is not
a secure language. Any script in a page has intimate access to all
of the information and relationships of the page. This makes use
of mashups and scripted advertising unacceptably risky.</p>
<p>AD<b>safe</b> makes it safe to put <var>guest code</var> (such
as third party scripted advertising or widgets) on a web page.
AD<b>safe</b> defines a subset of JavaScript that is powerful enough
to allow guest code to perform valuable interactions, while at the
same time preventing malicious or accidental damage or intrusion.
The AD<b>safe</b> subset can be verified mechanically by tools like
<a href="http://www.jslint.com/">JSLint</a> so that no human inspection
is necessary to review guest code for safety. The AD<b>safe</b>
subset also enforces good coding practices, increasing the likelihood
that guest code will run correctly. </p>
<p>The AD<b>safe</b> subset blocks a script from accessing any global
variables or from directly accessing the Document Object Model or
any of its elements. Instead, AD<b>safe</b> gives the script access
to an <code>ADSAFE</code> object that is provided by the page's
server, giving indirect access to the guest code's DOM elements
and other page services. </p>
<p>AD<b>safe</b> does not modify scripts. It will not make scripts
bigger or slower or alter their behavior. AD<b>safe</b> makes it
possible to quickly and reliably determine that script is safe for
placement on a site's pages. </p>
<p>And because AD<b>safe</b> verification is not destructive, it can
be performed at every stage of the deployment pipeline, or even
after delivery as part of compliance testing.</p>
<h1>How AD<b>safe</b> Works.</h1>
<p>AD<b>safe</b> removes features from JavaScript that are either
unsafe or grant uncontrolled access to unsafe browser components
or that contribute to poor code quality. The removed features include</p>
<ul>
<li>Global variables
<ul>
<li>AD<b>safe</b>'s object capability model prohibits the use
of most global variables. Limited access to <code>Array</code>,
<code>Boolean</code>, <code>Number</code>, <code></code><code>String</code>,
and <code>Math</code> is allowed.</li>
</ul>
</li>
<li><code>this</code>
<ul>
<li>If a method is called as a function, <code>this</code> is
bound to the global object. Since AD<b>safe</b> needs to restrict
access to the global object, it must prohibit the use of <code>this</code>
in guest code.</li>
</ul>
</li>
<li><code>arguments</code>
<ul>
<li>Access to the <code>arguments</code> pseudo-array is not allowed.</li>
</ul>
</li>
<li><code>eval</code>
<ul>
<li>The <code>eval</code> function provides access to the global
object.</li>
</ul>
</li>
<li><code>with</code> statement
<ul>
<li>The <code>with</code> statement modifies the scope chain,
making static analysis impossible.</li>
</ul>
</li>
<li>Dangerous methods and properties: <code>arguments callee
caller constructor eval prototype stack unwatch valueOf watch</code>
<ul>
<li>Capability leakage can occur with these names in at least
some browsers, so use of these names with <code>.</code> notation
is prohibited.</li>
</ul>
</li>
<li>Names starting or ending with <code>_</code>.
<ul>
<li>Some browsers have dangerous properties or methods that
have a dangling <code>_</code>.</li>
</ul>
</li>
<li><code>[ ]</code> subscript operator except when the subscript is
a numeric literal or string literal or an expression that must produce a number value. So expressions like <code>a[i]</code> are disallowed because we cannot statically determine that <code>i</code> is not one of the dangerous property names. But <code>a[+i]</code> is allowed, because <code>+i</code> will always produce a number.
<ul>
<li>Lookup of dynamic properties could provide access to the restricted
members. Use the <code>ADSAFE.get</code> and <code>ADSAFE.set</code>
methods instead. </li>
</ul>
</li>
<li><code>Date</code> and <code>Math.random</code>
<ul>
<li>Access to these sources of non-determinism is restricted
in order to make it easier to determine how widgets behave.</li>
</ul>
</li>
</ul>
<p>The good features of the language, including most of the methods of
the standard types, are available to guest code. AD<b>safe</b> provides
in place of the excluded features an <code>ADSAFE</code> object that
contains methods that restore the functionality in a safe way. For example,
<code>ADSAFE.get(</code><var>object</var><code>,</code> <var>key</var><code>)</code>
and <code>ADSAFE.set(</code><var>object</var><code>,</code> <var>key</var><code>,</code>
<var>value</var><code>)</code> take the place of the subscript operator.</p>
<h1>Restrictions</h1>
<p>All files and components must be encoded in UTF-8 and be properly
identified as such.</p>
<p>Untrusted code will be able to indirectly call the <code>window.onerror</code>
handler. The handler must be coded such that being called by untrusted
code will cause no breach.</p>
<p>None of the prototypes of the built-in types may be augmented with
methods that can breach AD<b>safe</b>'s containment.</p>
<p>All of the HTML <code>id</code> attributes defined on the page must
be unique.</p>
<h1>The <code>ADSAFE</code> Object</h1>
<p>The <code>ADSAFE</code> object provides the base capabilities to the
widget. The methods in the <code>ADSAFE</code> object are run-only;
they cannot be copied or replaced. </p>
<table border="1">
<tbody>
<tr>
<th valign="top">Name</th>
<th>Description</th>
</tr>
<tr>
<td valign="top"><code>create(</code><var>object</var><code>)</code></td>
<td>Create a new empty object that inherits from <var>object</var>.</td>
</tr>
<tr>
<td valign="top"><code>get(</code><var>object</var><code>,</code>
<var>name</var><code>)</code></td>
<td>Get the value of the <var>object</var>'s <var>name</var> property.</td>
</tr>
<tr>
<td valign="top"><code>go(</code><var>id</var><code>,</code> <var>function</var><code>)</code></td>
<td>Start the <a href="widget.html">widget</a>. The <var>id</var>
string must match the <code>id</code> of the widget's <code>div</code>.</td>
</tr>
<tr>
<td valign="top"><code>has(</code><var>object</var><code>,</code>
<var>name</var><code>)</code></td>
<td><code>true</code> if the <var>object</var> has an own property with that <var>name</var>.</td>
</tr>
<tr>
<td valign="top"><code>id(</code><var>id</var><code>)</code></td>
<td>Identify the <a href="widget.html">widget</a>. The <var>id</var>
string must match the <code>id</code> of the widget's <code>div</code>.</td>
</tr>
<tr>
<td valign="top"><code>isArray(</code><var>value</var><code>)</code></td>
<td>Returns <code>true</code> if the <var>value</var> is an array.</td>
</tr>
<tr>
<td nowrap valign="top"><code>keys(</code><var>object</var><code>)</code></td>
<td>Produce an array of keys from the own enumerable properties of an object.</td>
</tr>
<tr>
<td nowrap valign="top"><code>later(</code><var>function</var><code>,</code> <var>milliseconds</var><code>)</code></td>
<td>Call a function in the future.</td>
</tr>
<tr>
<td valign="top"><code>lib(</code><var>name</var><code>,</code> <var>function</var><code>)</code></td>
<td>Register an ADsafe <a href="widget.html">library</a>.</td>
</tr>
<tr>
<td valign="top"><code>log(</code><var>string</var><code>)</code></td>
<td>Post the <var>string</var> to the browser's log. On some browsers
it is necessary to start the debugger and select the console tab
to see the log. This method is a debugging convenience.</td>
</tr>
<tr>
<td valign="top"><code>remove(</code><var>object</var>, <var>name</var><code>)</code></td>
<td>Remove a property from the <var>object</var>.</td>
</tr>
<tr>
<td valign="top"><code>set(</code><var>object</var>, <var>name</var><code>,</code>
<var>value</var><code>)</code></td>
<td>Set a property's value on the <var>object</var>.</td>
</tr>
</tbody>
</table>
</div>
<img src="pill.png" width="32" height="32" align="right">
</body>
</html>
Jump to Line
Something went wrong with that request. Please try again.