Making JavaScript Safe for Advertising.

JavaScript, the programming language of the web browser, is not a secure language. Any script in a page has intimate access to all of the information and relationships of the page. This makes use of mashups and scripted advertising unacceptably risky.

ADsafe makes it safe to put guest code (such as third party scripted advertising or widgets) on any web page. ADsafe defines a subset of JavaScript that is powerful enough to allow guest code to perform valuable interactions, while at the same time preventing malicious or accidental damage or intrusion. The ADsafe subset can be verified mechanically by tools like JSLint so that no human inspection is necessary to review guest code for safety. The ADsafe subset also enforces good coding practices, increasing the likelihood that guest code will run correctly.

The ADsafe subset blocks a script from accessing any global variables or from directly accessing the Document Object Model or any of its elements. Instead, ADsafe gives the script access to an ADSAFE object that is provided by the page's server, giving indirect access to the guest code's DOM elements and other page services.

ADsafe does not modify scripts. It will not make scripts bigger or slower or alter their behavior. ADsafe makes it possible to quickly and reliably determine that script is safe for placement on a site's pages.

And because ADsafe verification is not destructive, it can be performed at every stage of the deployment pipeline, or even after delivery as part of compliance testing.

How ADsafe Works.

ADsafe removes features from JavaScript that are either unsafe or grant uncontrolled access to unsafe browser components or that contribute to poor code quality. The removed features include

  • Global variables
    • ADsafe's object capability model prohibits the use of most global variables. Limited access to Array, Boolean, Number, String, and Math is allowed.
  • this
    • If a method is called as a function, this is bound to the global object. Since ADsafe needs to restrict access to the global object, it must prohibit the use of this in guest code.
  • eval
    • The eval function provides access to the global object.
  • with statement
    • The with statement modifies the scope chain, making static analysis impossible.
  • Dangerous methods and properties: apply arguments call callee caller constructor eval prototype unwatch valueOf watch
    • Capability leakage can occur with these names in at least some browsers, so use of these names with . notation is prohibited.
  • Names starting with _
    • Some browsers have dangerous properties or methods that start with _.
  • [ ] subscript operator except when the subscript is a numeric literal
    • Lookup of dynamic properties could provide access to the restricted members. Use the ADSAFE.get and ADSAFE.put methods instead.
  • Date and Math.random
    • Access to these sources of non-determinism is restricted in order to make it easier to determine how widgets behave.

The good features of the language, including the most of the methods of the standard types, are available to guest code. ADsafe provides in place of the excluded features an ADSAFE object that contains methods that restore the functionality in a safe way. For example, ADSAFE.get(object, key) and ADSAFE.set(object, key, value) take the place of the subscript operator.

Restrictions

All files and components must be encoded in UTF-8 and be properly identified as such.

Untrusted code will be able to indirectly call the window.onerror handler. The handler must be coded such that being called by untrusted code will cause no breech.

None of the prototypes of the builtin types may be augmented with methods that can breech ADsafe's containment.

All of the HTML id attributes defined on the page must be unique.

Like a right gipsy, hath, at fast and loose,
Beguiled me to the very heart of loss.

William Shakespeare, Antony and Cleopatra