Check out the new USENIX Web site. next up previous
Next: Fine-Grained Trust Management via Up: The JavaScript Programmer's View Previous: The JavaScript Programmer's View

Domain and URL Based Trust Management

JavaScript executes in the name space defined by both the browser window and the HTML page in which it is embedded. This name space is accessible to all scripts embedded in the same page. Standard JavaScript also grants access to that name space to scripts that run in other browser windows, but that were loaded by an HTML page that loaded from the same server. This same origin policy leads to the situation where scripts from, for example, e-mall.com/pet-shop can access all data (e.g., credit-card numbers) that the user inputs into a form at https://e-mall.com/toy-store/checkout.html, given that the user has pages from both shops open at the same time. Note that this access is possible even though toy-store uses SSL to secure their client's data.

In our model, the JavaScript programmer can model trust explicitly by using ACLs. The toy-store programmer can state in the initialization step of scripting in all of the toy-store pages:

<SCRIPT LANGUAGE="Javascript">
document.ACL =
  "https://e-mall.com/toy-store";
...
</SCRIPT>

The above statement indicates that only scripts from a URL that is prefixed by the above element of the access control list (ACL) are allowed to access the page's name space. Thus, if a script embedded in e-mall.com/pet-shop/snoop.html executes the following:

<SCRIPT LANGUAGE="Javascript">
toy_store_check_out_window =
  window.open("https://e-mall.com
               /toy-store/checkout.html");
...
the page will be loaded into a new browser window on the user's desktop, but its name space will be inaccessible to the calling script.

If toy-store decides to collaborate with baby-store in order to cross-link, then the initialization might look like:

document.ACL = 
   "https://e-mall.com/toy-store
    https://e-mall.com/baby-store";
...
If these two stores want to collaborate further with a site that is not even part of the e-mall domain (e.g., the parentsoup site), then while the existing browsers do not allow this, our model can accommodate this easily by using the following:
document.ACL = 
  "https://e-mall.com/toy-store
   https://e-mall.com/baby-store
   www.parentsoup.com";
...
The last entry above is a domain name, which includes all pages from that domain in the ACL.


next up previous
Next: Fine-Grained Trust Management via Up: The JavaScript Programmer's View Previous: The JavaScript Programmer's View
Alain Mayer
8/30/1999