Abstract
Modern Web applications combine and use JavaScript-based content from multiple untrusted sources. Without proper isolation, such content can compromise the security and privacy of these Web applications. Prior techniques for isolating untrusted JavaScript code do so by restricting dangerous constructs and inlining security checks into third-party code. This paper makes the case that JavaScript must be extended to make isolation a language-level primitive. We propose to extend the language using a new transaction construct that allows a Web application to speculatively execute untrusted code and isolate the changes and effects it performs. The Web application can then inspect these speculative actions and commit them only if they comply with the application’s security policies. We discuss use-cases that can benefit from JavaScript support for transactions, present a formalization of JavaScript transactions and conclude with implementation considerations.