The complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply them correctly and they can be bypassed. As a result, they need to be completed by application-level security policies.

In this paper, we survey existing solutions for specifying and enforcing application-level security policies for client-side web applications, and distill a number of desirable features. Based on these features we developed Guardia, a framework for declaratively specifying and dynamically enforcing application-level security policies for JavaScript web applications without requiring VM modifications. We describe Guardia enforcement mechanism by means of JavaScript reflection with respect to three important security properties (transparency, tamper-proofness, and completeness). We also use Guardia to specify and deploy 12 access control policies discussed in related work in three experimental applications that are representative of real-world applications. Our experiments indicate that Guardia is correct, transparent, and tamper-proof, while only incurring a reasonable runtime overhead.
Original languageEnglish
Title of host publicationProceedings of the 15th International Conference on Managed Languages & Runtimes
PublisherAssociation for Computing Machinery (ACM)
Number of pages15
ISBN (Electronic)978-1-4503-6424-9
Publication statusPublished - 12 Sep 2018
Event15th International Conference on Managed Languages & Runtimes - Johannes Kepler University Linz, Linz, Austria
Duration: 11 Sep 201813 Sep 2018


Conference15th International Conference on Managed Languages & Runtimes
Abbreviated titleManLang '18
Internet address

    Research areas

  • DSL, JavaScript, Language design, Reflection, Runtime Enforcement, Security Policy, Web Security

ID: 39460379