Data-confined HTML5 Applications

Devdatta Akhawe, Frank Li, Warren He, Prateek Saxena, Dawn Song
European Symposium on Research in Computer Security (ESORICS), London, 2013


Rich client-side applications written in HTML5 proliferate on diverse platforms, access sensitive data, and need to maintain data-confinement invariants. Applications currently enforce these invariants using implicit, ad-hoc mechanisms. We propose a new primitive called a data-confined sandbox or DCS. A DCS enables complete mediation of communication channels with a small TCB. Our primitive extends currently standardized primitives and has negligible performance overhead and a modest compatibility cost. We retrofit our design on four real-world HTML5 applications and demonstrate that a small amount of effort enables strong data-confinement guarantees.

Source Code Release

Our evaluation case studies are available here