SafeJS: Hermetic Sandboxing for JavaScript
This work addresses security vulnerabilities in web applications by providing a practical solution for isolating JavaScript components, though it is incremental as it builds on existing web worker technology.
SafeJS tackles the challenge of isolating JavaScript programs by introducing a sandboxing approach based on web workers that prevents data sharing and restricts data exchange to strings, enabling secure isolation of scripts in web pages to prevent unauthorized DOM modifications.
Isolating programs is an important mechanism to support more secure applications. Isolating program in dynamic languages such as JavaScript is even more challenging since reflective operations can circumvent simple mechanisms that could protect program parts. In this article we present SafeJS, an approach and implementation that offers isolation based on separate sandboxes and control of information exchanged between them. In SafeJS, sandboxes based on web workers do not share any data. Data exchanged between sandboxes is solely based on strings. Using different policies, this infrastructure supports the isolation of the different scripts that usually populate web pages. A foreign component cannot modify the main DOM tree in unexpected manner. Our SafeJS implementation is currently being used in an industrial setting in the context of the Resilience FUI 12 project.