Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The ease with which websites can share code is both a blessing and a curse for today’s Internet. It allows for powerful Web applications that pull a wide variety of data and services together. But it also puts a site at the mercy of code written by third parties–code that may have security vulnerabilities, or may prove problematic in combination with the rest of what’s offered by a site.

A new browser extension would allow developers to use third-party code without worrying about the vulnerabilities that such code might open up. A pair of researchers described this extension, called ConScript, in a talk given this week at the IEEE Symposium on Security and Privacy in Oakland, CA.

Modern websites can be “a little disturbing if we look under the hood,” says Leo Meyerovich, a researcher at the University of California, Berkeley, who was involved with the work. To demonstrate, he showed how the local business review site Yelp also runs JavaScript from Facebook, Google Analytics, and a company called Scorecard Research.

In many cases, Meyerovich says, this is a “benign but buggy situation.” When a problem does arise, he says, it’s often hard to see clearly who’s to blame–the service running the third-party code, or the code itself. This also makes it hard to fix problems.

With ConScript, the researchers hope to sidestep this issue by giving developers and site owners an easier way to control what third-party code on their sites can do.

ConScript requires adding a relatively small amount of code to the browser (about 1,000 lines). This code then examines JavaScript commands that are being processed by the browser. It will inject extra code that prevents the JavaScript from attempting tasks that the user has configured it to block.

Ben Livshits, a researcher from Microsoft Research who was also involved with the work, notes that ConScript provides a way for developers and browser manufacturers to advance the ways that sites use JavaScript without compromising security in the process. The system is designed to be flexible, reliable, and lightweight way to enforce good security practices.

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Web, security, javascript, IEEE Symposium on Security and Privacy, web browsers, Oakland conference

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me