Team for Research in
Ubiquitous Secure Technology

Object Views: Fine-Grained Sharing in Browsers
Leo Meyerovich, Adrienne Porter Felt, Mark Miller

Citation
Leo Meyerovich, Adrienne Porter Felt, Mark Miller. "Object Views: Fine-Grained Sharing in Browsers". International World Wide Web Conference (WWW), 2010.

Abstract
Browsers do not currently support the secure sharing of JavaScript objects between principals. We present this problem as the need for object views, which are consistent and controllable versions of objects. Multiple views can be made for the same object and customized for the recipients. We implement object views with a JavaScript library that wraps shared objects and interposes on all access attempts. The security challenge is to fully mediate access to objects shared through a view and prevent privilege escalation. We discuss how object views can be deployed in two settings: same-origin sharing with rewriting-based JavaScript isolation systems like Google Caja, and inter-origin sharing between browser frames over a message-passing channel. To facilitate simple document sharing, we build a policy system for declaratively defining policies for document object views. Notably, our document policy system makes it possible to hide elements without breaking document structure invariants. Developers can control the fine-grained behavior of object views with an aspect system that accepts programmatic policies.

Electronic downloads

Citation formats  
  • HTML
    Leo Meyerovich, Adrienne Porter Felt, Mark Miller. <a
    href="http://www.truststc.org/pubs/651.html"
    >Object Views: Fine-Grained Sharing in
    Browsers</a>, International World Wide Web Conference
    (WWW), 2010.
  • Plain text
    Leo Meyerovich, Adrienne Porter Felt, Mark Miller.
    "Object Views: Fine-Grained Sharing in Browsers".
    International World Wide Web Conference (WWW), 2010.
  • BibTeX
    @inproceedings{MeyerovichFeltMiller10_ObjectViewsFineGrainedSharingInBrowsers,
        author = {Leo Meyerovich and Adrienne Porter Felt and Mark
                  Miller},
        title = {Object Views: Fine-Grained Sharing in Browsers},
        booktitle = {International World Wide Web Conference (WWW)},
        year = {2010},
        abstract = {Browsers do not currently support the secure
                  sharing of JavaScript objects between principals.
                  We present this problem as the need for object
                  views, which are consistent and controllable
                  versions of objects. Multiple views can be made
                  for the same object and customized for the
                  recipients. We implement object views with a
                  JavaScript library that wraps shared objects and
                  interposes on all access attempts. The security
                  challenge is to fully mediate access to objects
                  shared through a view and prevent privilege
                  escalation. We discuss how object views can be
                  deployed in two settings: same-origin sharing with
                  rewriting-based JavaScript isolation systems like
                  Google Caja, and inter-origin sharing between
                  browser frames over a message-passing channel. To
                  facilitate simple document sharing, we build a
                  policy system for declaratively defining policies
                  for document object views. Notably, our document
                  policy system makes it possible to hide elements
                  without breaking document structure invariants.
                  Developers can control the fine-grained behavior
                  of object views with an aspect system that accepts
                  programmatic policies.},
        URL = {http://www.truststc.org/pubs/651.html}
    }
    

Posted by Adrienne Porter Felt on 18 Feb 2010.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.