Skip to main content
Kent Academic Repository

WebPol: Fine-Grained Information Flow Policies for Web Browsers

Bichhawat, Abhishek, Rajani, Vineet, Jain, Jinank, Garg, Deepak, Hammer, Christian (2017) WebPol: Fine-Grained Information Flow Policies for Web Browsers. In: Computer security - ESORICS 2017. Lecture Notes in Computer Science , 10492. pp. 242-259. Springer ISBN 978-3-319-66401-9. E-ISBN 978-3-319-66402-6. (doi:10.1007/978-3-319-66402-6_15) (The full text of this publication is not currently available from this repository. You may be able to access a copy if URLs are provided) (KAR id:90607)

The full text of this publication is not currently available from this repository. You may be able to access a copy if URLs are provided. (Contact us about this Publication)
Official URL:
https://doi.org/10.1007/978-3-319-66402-6_15

Abstract

In the standard web browser programming model, third-party scripts included in an application execute with the same privilege as the application’s own code. This leaves the application’s confidential data vulnerable to theft and leakage by malicious code and inadvertent bugs in the third-party scripts. Security mechanisms in modern browsers (the same-origin policy, cross-origin resource sharing and content security policies) are too coarse to suit this programming model. All these mechanisms (and their extensions) describe whether or not a script can access certain data, whereas the meaningful requirement is to allow untrusted scripts access to confidential data that they need and to prevent the scripts from leaking data on the side. Motivated by this gap, we propose WebPol, a policy mechanism that allows a website developer to include fine-grained policies on confidential application data in the familiar syntax of the JavaScript programming language. The policies can be associated with any webpage element, and specify what aspects of the element can be accessed by which third-party domains. A script can access data that the policy allows it to, but it cannot pass the data (or data derived from it) to other scripts or remote hosts in contravention of the policy. To specify the policies, we expose a small set of new native APIs in JavaScript. Our policies can be enforced using any of the numerous existing proposals for information flow tracking in web browsers. We have integrated our policies into one such proposal that we use to evaluate performance overheads and to test our examples.

Item Type: Conference or workshop item (Paper)
DOI/Identification number: 10.1007/978-3-319-66402-6_15
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Amy Boaler
Date Deposited: 05 Oct 2021 14:15 UTC
Last Modified: 05 Nov 2024 12:56 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/90607 (The current URI for this page, for reference purposes)

University of Kent Author Information

Rajani, Vineet.

Creator's ORCID:
CReDIT Contributor Roles:
  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.