JS Policy

JS Policy allows web devs to keep user data safe by subjecting 3rd party Javascript to rich runtime policies

Comment

Inspiration

When web developers use a third-party ad or analytics script (e.g. Google Analytics), they are trusting that party with their user's data. Unfortunately, third-parties sometimes turn out to be malicious, or they could be compromised. The New York Times experienced this at one point, requiring them to tweet, "Attn: NYTimes.com readers: Do not click pop-up box warning about a virus -- it's an unauthorized ad we are working to eliminate." Other possible exploits could include scraping sensitive personal or financial information from a web page and sending it back to the malicious/compromised third-party's servers.

In order to protect user data, it's important to keep third-parties in check. However, it's impractical and incomplete to review third-party scripts manually, so JS Policy offers a way to enforce what these scripts can and can't access on a web page.

What it does

JS Policy is a Javascript sandbox that isolates third-party scripts from the primary Javascript runtime and gives the sandbox a limited view of the DOM (the actual content on the page).

How I built it

JS Policy is implemented using a web worker inside a sandboxed iframe, with DOM reads & mutations passing through a detailed policy, written by the web developer using the product.

Challenges I ran into

Javascript is designed for single threaded applications, so it lacks many useful synchronization primitives. I had to implement some of these primitives by repurposing a few brand new/experimental browser features.

Accomplishments that I'm proud of

I'm proud of how I was able to get a proof-of-concept demo of this idea up and running in just 24 hours, especially given that this is my first time working with the lower-level guts of the Javascript runtime.

What I learned

I learned a lot about service workers and Javascript's runtime.

What's next for JS Policy

I am hoping to continue to develop the project to support more nuanced policies.

JS Policy uses a new, experimental browser feature called SharedArrayBuffers, so it only works in Chromium (pre-release Chrome) with special settings, so unfortunately a public URL demo wouldn't be of much use.

Built With

Share this project:

Updates