Privilege Separation in HTML5 Applications

To Appear at the 21st Usenix Security Symposium (Usenix Security) , August 2012


The standard approach for privilege separation in web applications is to execute application components in different web origins. This limits the practicality of privilege separation since each web origin has financial and administrative cost. In this paper, we propose a new design for achieving effective privilege separation in HTML5 applications that shows how applications can cheaply create arbitrary number of components. Our approach utilizes standardized abstractions already implemented in modern browsers. We do not advocate any changes to the underlying browser or require learning new high-level languages, which contrasts prior approaches. We empirically show that we can retrofit our design to real-world HTML5 applications (browser extensions and rich client-side applications) and achieve reduction of 6x to 10000x in TCB for our case studies. Our mechanism requires less than 13 lines of application-specific code changes and considerably improves auditability. Our design has influenced the security architecture of upcoming Chrome applications.

Source Code Release

Our evaluation case studies are available here


The poster on a preliminary version of the work was awarded as the best poster at the SCRUBS poster session 2012 .