Protecting Private Web Content from Embedded Scripts

Yuchen Zhou and David Evans
European Symposium on Research in Computer Security (ESORICS 2011)
Lueven, Belguim
12-14 September 2011

Abstract

Many web pages display personal information provided by users. The goal of this work is to protect that content from untrusted scripts that are embedded in host pages. We present a browser modification that provides fine-grained control over what parts of a document are visible to different scripts, and executes untrusted scripts in isolated environments where private information is not accessible. To ease deployment, we present a method for automatically inferring what nodes in a web page contain private content. This paper describes how we modify the Chromium browser to enforce newly defined security policies, presents our automatic policy generation method, and reports on experiments inferring and enforcing privacy policies for a variety of web applications.

Paper

Full paper: PDF (20 pages)

Source Code

Modified Chromium: https://github.com/Treeeater/Chromium_on_windows
Policy Learner Proxy: https://github.com/Treeeater/GreasySpoon-proxy-script

David Evans
University of Virginia
Department of Computer Science
 evans@virginia.edu