Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

ConScript knows what behavior to enforce based on a set of policies chosen by the owner of a website. For example, a site owner might set the system so that untrusted code is never allowed to introduce pop-ups or direct the user to other websites. The researchers designed Conscript so that the owner of a website can choose these policies in several ways–by writing policies themselves, by choosing policies from a library of possibilities, or by generating them automatically based on analysis of the code of the website.

One advantage of ConScript’s design, Meyerovich says, is that it should allow developers to use older code without having to alter it, even if it contains known security vulnerabilities. This is important not only for new websites but also to allow users to safely access existing websites that aren’t being kept up-to-date. If the policies are well-designed and carefully selected, the researchers say, they shouldn’t interfere with any of a site’s intended functionality.

The researchers tested their system with several popular Web services, including Google Maps, MSN, Gmail, Live Desktop, and Google Calendar. They found that they were able to deploy their system without significantly slowing down these sites, a big concern for any system designed to protect against untrusted code.

Engin Kirda, a professor of computer science at Institute Eurecom in France, says that ConScript “is a very useful system. If it really gets integrated into the browser and people start using it, it will make the Internet much safer.”

Meyerovich says it would be technically straightforward to create ConScript extensions for all major browsers. However, he admits that that establishing ConScript as a standard, so that all browser makers actually do this, could prove complicated.

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Web, security, javascript, IEEE Symposium on Security and Privacy, web browsers, Oakland conference

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me