The ease with which websites can share code is both a blessing and a curse for today’s Internet. It allows for powerful Web applications that pull a wide variety of data and services together. But it also puts a site at the mercy of code written by third parties–code that may have security vulnerabilities, or may prove problematic in combination with the rest of what’s offered by a site.
A new browser extension would allow developers to use third-party code without worrying about the vulnerabilities that such code might open up. A pair of researchers described this extension, called ConScript, in a talk given this week at the IEEE Symposium on Security and Privacy in Oakland, CA.
In many cases, Meyerovich says, this is a “benign but buggy situation.” When a problem does arise, he says, it’s often hard to see clearly who’s to blame–the service running the third-party code, or the code itself. This also makes it hard to fix problems.
With ConScript, the researchers hope to sidestep this issue by giving developers and site owners an easier way to control what third-party code on their sites can do.