Skip to Content

Protecting Websites from Shared Code

New browser software can protect websites from software vulnerabilities.

The ease with which websites can share code is both a blessing and a curse for today’s Internet. It allows for powerful Web applications that pull a wide variety of data and services together. But it also puts a site at the mercy of code written by third parties–code that may have security vulnerabilities, or may prove problematic in combination with the rest of what’s offered by a site.

A new browser extension would allow developers to use third-party code without worrying about the vulnerabilities that such code might open up. A pair of researchers described this extension, called ConScript, in a talk given this week at the IEEE Symposium on Security and Privacy in Oakland, CA.

Modern websites can be “a little disturbing if we look under the hood,” says Leo Meyerovich, a researcher at the University of California, Berkeley, who was involved with the work. To demonstrate, he showed how the local business review site Yelp also runs JavaScript from Facebook, Google Analytics, and a company called Scorecard Research.

In many cases, Meyerovich says, this is a “benign but buggy situation.” When a problem does arise, he says, it’s often hard to see clearly who’s to blame–the service running the third-party code, or the code itself. This also makes it hard to fix problems.

With ConScript, the researchers hope to sidestep this issue by giving developers and site owners an easier way to control what third-party code on their sites can do.

ConScript requires adding a relatively small amount of code to the browser (about 1,000 lines). This code then examines JavaScript commands that are being processed by the browser. It will inject extra code that prevents the JavaScript from attempting tasks that the user has configured it to block.

Ben Livshits, a researcher from Microsoft Research who was also involved with the work, notes that ConScript provides a way for developers and browser manufacturers to advance the ways that sites use JavaScript without compromising security in the process. The system is designed to be flexible, reliable, and lightweight way to enforce good security practices.

ConScript knows what behavior to enforce based on a set of policies chosen by the owner of a website. For example, a site owner might set the system so that untrusted code is never allowed to introduce pop-ups or direct the user to other websites. The researchers designed Conscript so that the owner of a website can choose these policies in several ways–by writing policies themselves, by choosing policies from a library of possibilities, or by generating them automatically based on analysis of the code of the website.

One advantage of ConScript’s design, Meyerovich says, is that it should allow developers to use older code without having to alter it, even if it contains known security vulnerabilities. This is important not only for new websites but also to allow users to safely access existing websites that aren’t being kept up-to-date. If the policies are well-designed and carefully selected, the researchers say, they shouldn’t interfere with any of a site’s intended functionality.

The researchers tested their system with several popular Web services, including Google Maps, MSN, Gmail, Live Desktop, and Google Calendar. They found that they were able to deploy their system without significantly slowing down these sites, a big concern for any system designed to protect against untrusted code.

Engin Kirda, a professor of computer science at Institute Eurecom in France, says that ConScript “is a very useful system. If it really gets integrated into the browser and people start using it, it will make the Internet much safer.”

Meyerovich says it would be technically straightforward to create ConScript extensions for all major browsers. However, he admits that that establishing ConScript as a standard, so that all browser makers actually do this, could prove complicated.

Deep Dive


Our best illustrations of 2022

Our artists’ thought-provoking, playful creations bring our stories to life, often saying more with an image than words ever could.

How CRISPR is making farmed animals bigger, stronger, and healthier

These gene-edited fish, pigs, and other animals could soon be on the menu.

The Download: the Saudi sci-fi megacity, and sleeping babies’ brains

This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology. These exclusive satellite images show Saudi Arabia’s sci-fi megacity is well underway In early 2021, Crown Prince Mohammed bin Salman of Saudi Arabia announced The Line: a “civilizational revolution” that would house up…

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.