Timothy Watt


Web sites, web browsers, web site authors, web component authors, and end users interact in a complicated environment with many recognized and unrecognized trust relationships. The web browser is the arena in which many important trust relationships interact, thus it bears a considerable burden in protecting the interests and security of web end users as well as web site authors. Existing proposals, draft standards, implemented features, and web application techniques go a long way towards allowing rich and compelling content interactions, but they do not provide for rich, mutually-distrusting content to be safely embedded in a single page. This proposal suggests a declarative policy mechanism that permits untrusted content to be safely embedded in a web site while still retaining some richness. It also suggests a policy integration approach to allow multiple cooperative (but not necessarily trusting) parties to provide components of a policy that combine together in a safe manner. It incorporates techniques including fine-grained and coarse-grained permission dropping and white-listing protections for retained capabilities. Finally, the proposed concepts are applied to a number of real-world CVE vulnerabilities, and it is explained how the proposal does or does not prevent or mitigate the attack. The solution is shown to be effective against cross-style-scripting style attacks, and to not be effective at preventing incoming cross-site request forgery attacks.

Library of Congress Subject Headings

Browsers (Computer programs)--Security measures; Web sites--Security measures; Computer crimes--Prevention

Publication Date


Document Type



Yuan, Bo

Advisor/Committee Member

Mishra, Sumita

Advisor/Committee Member

Pan, Yin


Note: imported from RIT’s Digital Media Library running on DSpace to RIT Scholar Works in December 2013. Physical copy available through RIT's The Wallace Library at: TK5105.882 .W38 2012


RIT – Main Campus