Finding the Subject Origin URL

JavaScript has a number of possible ways to pass the control flow or to generate an additional thread of execution:

1.

Function/method call: e.g., v = foo(x); or u = otherWindow.foo(x);

2.

Dynamic generation of JavaScript code: e.g., document.write(foo(x);); or myWindow.eval(foo(x));.

3.

JavaScript URL: e.g., otherWindow.location = "javascript:foo(x)";

4.

JavaScript invocation through HTML (browser):

      
<a target=otherWin href="javascript:
   alert(window.location);" >

Also, code invoked through installed event handlers, ``script'' tags, etc.

Most ``traditional'' languages only have function/method calls. In those cases it is usually fairly straightforward to determine which entity originated the call sequence by inspecting the call stack, i.e., stack inspection. The additional methods and flexibility in JavaScript complicate this task. For instance, dynamic invocation has the flavor of a function call, but the passing of control does not take place instantly. In fact, a callee might be executing at a time when the caller is no longer on the stack. Therefore, we propose the use of proactive forward passing of the subject origin information. Whenever a passing of the control flow in the code is indicated (and whether it is about to take place right then or not), the interpreter sets the subject domain of the callee to the subject domain of the caller, in such a way that when the callee executes, this value can be easily retrieved.

We distinguish three cases:

• The callee will begin executing immediately. Either its stack frame is loaded right on top of the caller's frame (e.g., regular function call) or its stack frame is loaded onto another document's stack frame (e.g., javascript URL). Hence, the interpreter can propagate the subject origin information among stack frames (which logically form a tree structure).
• The callee will execute at a later point (e.g., document.write). In this case, the callee will be the top-level stack frame in its document. Hence, the interpreter can store the subject origin information as an attribute of the document. Once the top-level stack frame gets loaded, the interpreter fetches the subject origin information from the document attribute and initializes the subject origin value in the top-level stack frame.
• JavaScript is invoked through HTML. In this case, the callee executes in a top-level frame of the JavaScript stack of its document. Hence, the browser should play the role of a JavaScript caller as far as the passing of the subject origin to the top-level frame is concerned.

Our goal is to arrive at a situation where, for every stack frame loaded, the correct subject origin can be retrieved from a well-defined location and, consequently, there will never be the need to search backward for it or even to fail and declare ``unknown origin'', as might occur in the current version of JavaScript (4.x browsers).