JSand: Complete Client-Side Sandboxing of Third-Party JavaScript without Browser Modifications

The inclusion of third-party scripts in web pages is common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website.

We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client-side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox.

We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

Author(s):

Pieter Agten    
IBBT-Distrinet, KU Leuven
Belgium

Steven Van Acker    
IBBT-Distrinet, KU Leuven
Belgium

Yoran Brondsema    
IBBT-Distrinet, KU Leuven
Belgium

Phu H. Phung    
Chalmers University of Technology
Sweden

Lieven Desmet    
IBBT-Distrinet, KU Leuven
Belgium

Frank Piessens    
IBBT-Distrinet, KU Leuven
Belgium