Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Policies
JavaScript Security Presentation
-
Upload
kiran-kumar-kuppa -
Category
Documents
-
view
218 -
download
0
Transcript of JavaScript Security Presentation
-
8/9/2019 JavaScript Security Presentation
1/89
JavaScript securityor
JavaScript: the Good, the Bad,the Strict and the Secure Parts
Tom Van Cutsem
-
8/9/2019 JavaScript Security Presentation
2/89
Talk Outline
Part I: JavaScript, the Good and the Bad parts
Part II: ECMAScript 5 and Strict Mode
Part III: ECMAScript 6 Proxies
Part IV: Caja and Secure ECMAScript (SES)
-
8/9/2019 JavaScript Security Presentation
3/89
Talk Outline
This talk is about:
The JavaScript language proper
Language dialects and features to enable or improve security
This talk is not about:
Security exploits in JavaScript, or how to avoid specific exploits
(e.g. XSS attacks)
-
8/9/2019 JavaScript Security Presentation
4/89
About Me
Professor of Computer Science at Vrije Universiteit Brussel, Belgium
Programming Languages, concurrent and distributed programming
ECMA TC39 (Javascript standardization committee)
Visiting Faculty at the Google Caja team (2010)
-
8/9/2019 JavaScript Security Presentation
5/89
Part I: Javascript, the Good and the Bad parts
-
8/9/2019 JavaScript Security Presentation
6/89
JavaScript
Lightning talk Gary Bernhardt at CodeMash 2012
https://www.destroyallsoftware.com/talks/wat
https://www.destroyallsoftware.com/talks/wathttps://www.destroyallsoftware.com/talks/wat -
8/9/2019 JavaScript Security Presentation
7/89
The worlds most misunderstood language
See also: JavaScript: The World's Most Misunderstood Programming Language
by Doug Crockford at http://www.crockford.com/javascript/javascript.html
http://www.crockford.com/javascript/javascript.htmlhttp://www.crockford.com/javascript/javascript.htmlhttp://www.crockford.com/javascript/javascript.html -
8/9/2019 JavaScript Security Presentation
8/89
Good Parts: Functions
Closures, higher-order, first-class
var add = function(a,b) {
returna+b;}
add(2,3);
[1,2,3].map(function(x) { returnx*x; })
node.addEventListener(click, function(e) { clicked++; })
functionmakeAdder(a) {
returnfunction(b) { returna+b;
}
}
makeAdder(2)(3);
-
8/9/2019 JavaScript Security Presentation
9/89
Good Parts: Objects
No classes, literal syntax, arbitrary nesting
varbob = {
name: Bob,
dob: {
day: 15,
month: 03,
year: 1980
},
address: {
street: ..., number: 5,
zip: 94040,
country: ...
}
};
functionmakePoint(i,j) {
return{
x: i,
y: j,
toString: function() {
return(+ this.x +,+ this.y +);
}
};
}varp = makePoint(2,3);
varx = p.x;
vars = p.toString();
-
8/9/2019 JavaScript Security Presentation
10/89
A dynamic language...
// dynamically add new properties to an objectobj.bar = baz;
// delete properties from an object
deleteobj.foo;
// computed property access and assignment
obj[foo]
obj[foo] = 42;
// enumerate an objects properties
for(varprop inobj) { console.log(prop); }
// dynamic method invocation
varf = obj.m;f.apply(obj, [1,2,3]);
-
8/9/2019 JavaScript Security Presentation
11/89
Bad Parts: global variables
Scripts depend on global variables for linkage
varlib = (function(){
varx; // local
return{...};
}())
varx; // global
varlib = {...};
... lib ...
Bad Better
-
8/9/2019 JavaScript Security Presentation
12/89
Bad Parts: with statement
with-statement breaks static scoping
varx = 42;varobj = {};
with(obj) {
print(x); // 42
obj.x = 24; print(x); // 24
}
with(expr) {
... x ...
}
-
8/9/2019 JavaScript Security Presentation
13/89
More Bad Parts
var hoisting: variables are not block-scoped but function-scoped
Implicit type coercions
No integers (all numbers are IEEE 754 floating point)
Automatic semicolon insertion
...
-
8/9/2019 JavaScript Security Presentation
14/89
Delving Deeper
Some finer points about
Functions
Objects
Methods
-
8/9/2019 JavaScript Security Presentation
15/89
Functions
Functions are objects
functionadd(x,y) { returnx + y; }
add(1,2) // 3
add.apply(undefined, [1,2]) // 3
-
8/9/2019 JavaScript Security Presentation
16/89
Objects
No classes.
Functions may act as object constructors.
All objects have a prototype: object-based inheritance
-
8/9/2019 JavaScript Security Presentation
17/89
Objects
functionPoint(x, y) {
this.x = x;
this.y = y;
}
Point.prototype = {
toString: function() {
return"[Point "+this.x+","+this.y+"]";
}
}
var p = newPoint(1,2);
__proto__
x 1
y 2
toString function
... ...
prototype
... ...
Point
p
Point.prototype
-
8/9/2019 JavaScript Security Presentation
18/89
Functions / Methods
Methods of objects are just functions
When a function is called as a method, thisis bound to the receiverobject
var obj = {
offset: 10,
index: function(x) { returnthis.offset + x; }
}
obj.index(0); // 10
-
8/9/2019 JavaScript Security Presentation
19/89
Functions / Methods
Methods may be extracted from objects and used as stand-alonefunctions
var obj = {
offset: 10,
index: function(x) { returnthis.offset + x; }
}
var indexf = obj.index;
otherObj.index = indexf;
indexf(0) // error
indexf.apply(obj, [0]) // 10
-
8/9/2019 JavaScript Security Presentation
20/89
Functions / Methods
Methods may be extracted from objects and used as stand-alonefunctions
var obj = {
offset: 10,
index: function(x) { returnthis.offset + x; }
}
var indexf = obj.index.bind(obj); // new in ES5
indexf(0) // 10
-
8/9/2019 JavaScript Security Presentation
21/89
Summary so far
Javascript: a Lisp in Cs clothing (D. Crockford)
Good parts: functions, object literals
Bad parts: global vars, lack of static scoping, var hoisting
No way to protect an object from modifications by its clients
Unsafe to share objects across trust boundaries
-
8/9/2019 JavaScript Security Presentation
22/89
Part II: ECMAScript 5 and Strict Mode
-
8/9/2019 JavaScript Security Presentation
23/89
ECMAScript
Standard Javascript
1st ed. 1997
2nd ed. 1998
3rd ed. 1999
4th ed.
5th ed. 2009
6th ed. end of 2013 (tentative)
"#$#%#&'# &()*#%
+,-./01231445
6+')7 8&9#%&79:;&7< 1445
ECMA-2625
thEdition / December 2009
ECMAScript LanguageSpecification
-
8/9/2019 JavaScript Security Presentation
24/89
ECMAScript 5 Themes
New APIs
Array methods, JSON, bound functions, ...
More robust programming
Tamper-proof objects, strict mode, ...
Better emulation of host objects (e.g. the DOM)
Accessors (getter / setter properties), property attributes
-
8/9/2019 JavaScript Security Presentation
25/89
ECMAScript 5 Themes
New APIs
Array methods, JSON, bound functions, ...
More robust programming
Tamper-proof objects, strict mode, ...
Better emulation of host objects (e.g. the DOM)
Accessors (getter / setter properties), property attributes
-
8/9/2019 JavaScript Security Presentation
26/89
JSON
JavaScript Object Notation
A simple subset of Javascript (numbers, strings, arrays and objectswithout methods)
Formal syntax literally fitsin a margin. See http://json.org/
{ name : Bob,
age : 42, address : {
street : main st
}
}
http://json.org/http://json.org/ -
8/9/2019 JavaScript Security Presentation
27/89
ECMAScript 5 and JSON
Before ES5, could either parse quickly or safely
Unsafe:
In ES5: use JSON.parse, JSON.stringify
eval(jsonString)
0 1
1
2
a
x 2
[1, a, {x:2}]
[1,\a\,{\x\:2}]
JSON.stringify
JSON.parse
-
8/9/2019 JavaScript Security Presentation
28/89
ECMAScript 5 Themes
New APIs
Array methods, JSON, bound functions, ...
More robust programming
Tamper-proof objects, strict mode, ...
Better emulation of host objects (e.g. the DOM)
Accessors (getter / setter properties), property attributes
-
8/9/2019 JavaScript Security Presentation
29/89
Tamper-proof Objects
Object.freeze(point);
point.x = 7;// error: cant assign properties
Object.seal(point);
delete point.x;// error: cant delete properties
Object.preventExtensions(point);
point.z = 0;// error: cant add new properties
varpoint =
{ x: 0,
y: 0 };
-
8/9/2019 JavaScript Security Presentation
30/89
Ecmascript 5 Strict mode
Safer subset of the language
No silent errors
True static scoping rules
No global object leakage
-
8/9/2019 JavaScript Security Presentation
31/89
Ecmascript 5 Strict mode
Explicit opt-in to avoid backwards compatibility constraints
How to opt-in
Per program (file, script tag, ...)
Per function
Strict and non-strict mode code can
interact (e.g. on the same web page)
"use strict";
...
functionf() { "use strict";
...
}
-
8/9/2019 JavaScript Security Presentation
32/89
Strict-mode opt-in: gotchas
Beware: minification and deployment tools may concatenate scripts
"use strict";
// in strict mode
// not in strict mode
functionf(){...}
"use strict";
// in strict mode
// f is now// accidentally strict!
functionf(){...}
-
8/9/2019 JavaScript Security Presentation
33/89
Strict-mode opt-in: gotchas
Suggested refactoring is to wrap script blocks in function bodies
(function(){
"use strict";
// in strict mode
}())
// not in strict mode
functionf(){...}
(function(){
"use strict";
// in strict mode
})
// not in strict mode
functionf(){...}
-
8/9/2019 JavaScript Security Presentation
34/89
Static scoping in ES5
ECMAScript 5 non-strict is not statically scoped
Four violations:
Assigning to a non-existent variable creates a new global variable
with (expr) { x }statement
delete x;// may delete a statically visible var
eval('var x=8');// may add a statically visible var
functionf() { var xfoo; xFoo = 1; }
-
8/9/2019 JavaScript Security Presentation
35/89
Ecmascript 5 Strict: syntactic restrictions
The following are forbidden in strict mode (signaled as syntax errors):
with(expr) {
...
}
functionf(eval) {
// eval as variable name
}
{ a: 1,
b: 2,
b: 3 } // duplicate property
functionf(a,b,b) {
// repeated param name
}
varn = 023; // octal literal
varx = 5;
...
deletex; // deleting a var
-
8/9/2019 JavaScript Security Presentation
36/89
Ecmascript 5 Strict
Runtime changes (fail silently outside of strict mode, throw anexception in strict mode)
functionf() {
// assigning to an undeclared variable
var xfoo; xFoo = 1;
}
// deleting a non-configurable property
varpt = Object.freeze({x:0,y:0});
deletept.x;
-
8/9/2019 JavaScript Security Presentation
37/89
Ecmascript 5 Strict: avoid global object leakage
Runtime changes: default thisbound to undefinedinstead of the
global object
functionPoint(x, y) {
this.x = x;
this.y = y;
}
var p = newPoint(1,2);
var p = Point(1,2);// window.x = 1;
// window.y = 2;
print(x) // 1
use strict;
functionPoint(x, y) { this.x = x;
this.y = y;
}
var p = newPoint(1,2);
var p = Point(1,2);
// undefined.x = 1;
// error!
-
8/9/2019 JavaScript Security Presentation
38/89
Direct versus Indirect Eval
ES5 runtime changes to eval (both in strict and non-strict mode)
evaloperator versus evalfunction
varx = 0;
eval(x = 5);
print(x); // 5
varx = 0;varf = eval;
f(x = 5);
print(x); // 0
Direct Indirect
-
8/9/2019 JavaScript Security Presentation
39/89
ECMAScript 5 Themes
New APIs
Array methods, JSON, bound functions, ...
More robust programming
Tamper-proof objects, strict mode, ...
Better emulation of host objects(e.g. the DOM)
Accessors (getter / setter properties), property attributes
-
8/9/2019 JavaScript Security Presentation
40/89
Host objects
Objects provided by the host platform
E.g. the DOM: a tree representation of the HTML document
look and feel like Javascript objects, but are not implemented inJavascript (typically in C++)
Odd behavior not always easy to reproduce in JavaScript itself
ES5 provides APIs that partially solve this (accessors, property attributes)
ES6 goes further with proxies
-
8/9/2019 JavaScript Security Presentation
41/89
Part III: ECMAScript 6 Proxies
-
8/9/2019 JavaScript Security Presentation
42/89
Proxies
Objects that look and feel like normal objects, but whosebehavior is controlled byanotherJavascript object
Part of a new reflection API for ECMAScript 6
Think java.lang.reflect.Proxyon steroids
-
8/9/2019 JavaScript Security Presentation
43/89
Why Proxies?
Generic access control wrappers:
E.g. revocable references, membranes (see later)
Emulating host objects
Ability to self-host the DOM
Could provide a virtual document to third-party scripts
-
8/9/2019 JavaScript Security Presentation
44/89
Generic wrapper example: tracing
functionmakePoint(x, y) {
return{
x: x,
y: y
};
}
varp = makePoint(2,2);
vartp = makeTracer(p);
tp.x
// log(p, get, x);// 2
tp.y = 3
// log(p, set, y, 3);
// 3
-
8/9/2019 JavaScript Security Presentation
45/89
Generic wrapper example: tracing
functionmakeTracer(obj) {
var proxy = Proxy(obj, {
get: function(tgt, name) {
console.log(tgt, get, name);
returntgt[name];
}, set: function(tgt, name, val) {
console.log(tgt, set, name, val);
returntgt[name] = val;
},
});
returnproxy;}
-
8/9/2019 JavaScript Security Presentation
46/89
Generic wrapper example: tracing
functionmakeTracer(obj) {
var proxy = Proxy(obj, {
get: function(tgt, name) {
console.log(tgt, get, name);
returntgt[name];
}, set: function(tgt, name, val) {
console.log(tgt, set, name, val);
returntgt[name] = val;
},
});
returnproxy;}
meta
base
proxy
handler
-
8/9/2019 JavaScript Security Presentation
47/89
Generic wrapper example: tracing
functionmakeTracer(obj) {
var proxy = Proxy(obj, {
get: function(tgt, name) {
console.log(tgt, get, name);
returntgt[name];
}, set: function(tgt, name, val) {
console.log(tgt, set, name, val);
returntgt[name] = val;
},
});
returnproxy;}
meta
base
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
48/89
Stratified API
var proxy = Proxy(target, handler);
meta
base
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
49/89
Stratified API
var proxy = Proxy(target, handler);
meta
base
proxy.foo
handler.get(target, foo)
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
50/89
Stratified API
var proxy = Proxy(target, handler);
meta
base
proxy.foo
handler.get(target, foo)
proxy.foo =42
handler.set(target, foo, 42)
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
51/89
Stratified API
var proxy = Proxy(target, handler);
meta
base
proxy.foo
handler.get(target, foo)
proxy.foo =42
handler.set(target, foo, 42)
proxy.foo(1,2,3)
handler.get(target, foo).apply(proxy,[1,2,3])
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
52/89
Stratified API
var proxy = Proxy(target, handler);
meta
base
proxy.foo
handler.get(target, foo)
proxy.foo =42
handler.set(target, foo, 42)
proxy.get
handler.get(target, get)
proxy.foo(1,2,3)
handler.get(target, foo).apply(proxy,[1,2,3])
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
53/89
Not just property access
var proxy = Proxy(target, handler);
meta
base
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
54/89
-
8/9/2019 JavaScript Security Presentation
55/89
Not just property access
var proxy = Proxy(target, handler);
meta
base
foo inproxy
handler.has(target,foo)
deleteproxy.foo
handler.deleteProperty(target,foo)
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
56/89
Not just property access
var proxy = Proxy(target, handler);
meta
base
foo inproxy
handler.has(target,foo)
deleteproxy.foo
handler.deleteProperty(target,foo)
for(var p inproxy) { ... }
var props = handler.enumerate(target);for (var p in props) { ... }
proxy
handler
target
-
8/9/2019 JavaScript Security Presentation
57/89
Example: a revocable reference
revocable reference: limit the lifetime of an object reference
proxy target
var ref = makeRevocable(target);
var proxy = ref.proxy;
// pass proxy to code
ref.revoke();
-
8/9/2019 JavaScript Security Presentation
58/89
Example: a revocable reference
revocable reference: limit the lifetime of an object reference
proxy target
var ref = makeRevocable(target);
var proxy = ref.proxy;
// pass proxy to code
ref.revoke();
-
8/9/2019 JavaScript Security Presentation
59/89
functionmakeRevocable(target) {
varenabled = true;
return{
proxy: Proxy(target, {
get: function(target, name) { if(enabled) { returntarget[name]; }
thrownewError(revoked);
}
}),
revoke: function() { enabled = false; };
}
}
Example: a revocable reference
-
8/9/2019 JavaScript Security Presentation
60/89
Proxies: availability
Firefox
node --harmony
Chrome (enable experimental JS flag in chrome://flags )
Library that implements the latest API proposed for ES6
Available on Github: https://github.com/tvcutsem/harmony-reflect
https://github.com/tvcutsem/harmony-reflecthttps://github.com/tvcutsem/harmony-reflect -
8/9/2019 JavaScript Security Presentation
61/89
Part IV: Caja and Secure ECMAScript (SES)
-
8/9/2019 JavaScript Security Presentation
62/89
Caja
Caja enables the safe embedding of third-party active content insideyour website
Secures Google Sites
Secures Google Apps Scripts
More generally: Gadgets, Mashups:
https://developers.google.com/caja/docs/about/
https://developers.google.com/caja/docs/about/https://developers.google.com/caja/docs/about/https://developers.google.com/caja/docs/about/https://developers.google.com/caja/docs/about/ -
8/9/2019 JavaScript Security Presentation
63/89
Caja
Not a traditional sandbox. Caja-compiled code is safe to inline directlyin a webpage . No iframes.
Can put multiple third-party apps into the same page and allow themto directly exchange JavaScript objects
Great for writing mash-ups
The host page is protected from the embedded apps
E.g. embedded app can't redirect the host page to phishing sites, or stealcookies from the hosting page
-
8/9/2019 JavaScript Security Presentation
64/89
Caja : Taming
Caja proxies the DOM. Untrusted content interacts with a virtual DOM,never with the real DOM.
https://developers.google.com/caja/docs/about/
https://developers.google.com/caja/docs/about/https://developers.google.com/caja/docs/about/https://developers.google.com/caja/docs/about/https://developers.google.com/caja/docs/about/ -
8/9/2019 JavaScript Security Presentation
65/89
Caja
Example: Caja Playground
http://caja.appspot.com
http://caja.appspot.com/http://caja.appspot.com/ -
8/9/2019 JavaScript Security Presentation
66/89
Caja
Caja consists of:
A capability-secure JavaScript subset (SES)
A safe DOM wrapper (Domado)
A HTML and CSS sanitizer
SES is the portion of Caja responsible for securing JavaScript
-
8/9/2019 JavaScript Security Presentation
67/89
Secure ECMAScript
SES
ES5/strict
ES5
ES3
adds tamper-proof objects
adds proper static scoping
adds confinement
-
8/9/2019 JavaScript Security Presentation
68/89
Secure ECMAScript
Implemented as a library on top of ES5/strict
Include as first script, before any other JavaScript code runs:
-
8/9/2019 JavaScript Security Presentation
69/89
Secure ECMAScript
Deep-frozen global environment (incl. frozen global object)
Cant update properties of Object, Array, Function, Math, JSON, etc.
Whitelisted global environment
No powerful non-standard globals(e.g. document, window, XMLHttpRequest, ...)
Code that spawns an SES environment may provide selective access tothese
Patches evaland Functionto accept only ES5/strict code, that can
only name global variables on the whitelist
-
8/9/2019 JavaScript Security Presentation
70/89
Proxies again
Caja uses object capabilities to express security policies
In the object-capability paradigm, an object is powerless unlessgiven a reference to other (more) powerful objects
Common to wrap objects with proxies that define a security policy
E.g. revocable reference: limit the lifetime of an object reference
trusted code
untrusted code
target
proxy
-
8/9/2019 JavaScript Security Presentation
71/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
72/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
73/89
-
8/9/2019 JavaScript Security Presentation
74/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
75/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
76/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
77/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
78/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
79/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
80/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
81/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
82/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
83/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
84/89
SES context
Membranes
Transitively revocable references
All within a single JavaScript context/frame
-
8/9/2019 JavaScript Security Presentation
85/89
Wrap-up
-
8/9/2019 JavaScript Security Presentation
86/89
Wrap-up
SES
ES5/strict
ES5
ES3
and
the Secure parts.
the Strict,
the Good,
the Bad,
"#$#%#&'#&()*#%
+,-./01231445
6+')78&9#%&79:;&7< 1445
ECMA-2625
thEdition /December 2009
ECMAScript LanguageSpecification
JavaScript:
-
8/9/2019 JavaScript Security Presentation
87/89
Take-home messages
Secure ECMAScript (SES) builds on ES5 strict mode
If you want your code to besecurable, opt into strict mode
Proxies are a power-tool to express fine-grained security policies(e.g. membranes)
-
8/9/2019 JavaScript Security Presentation
88/89
References
Warmly recommended: Doug Crockford on JavaScripthttp://goo.gl/FGxmM (YouTube playlist)
http://www.youtube.com/playlist?list=PL7664379246A246CBhttp://www.youtube.com/playlist?list=PL7664379246A246CB -
8/9/2019 JavaScript Security Presentation
89/89
References
ECMAScript 5:
Changes to JavaScript Part 1: EcmaScript 5 (Mark S. Miller, WaldemarHorwat, Mike Samuel), Google Tech Talk (May 2009)
Secure Mashups in ECMAScript 5 (Mark S. Miller), QCon Talk
http://www.infoq.com/presentations/Secure-Mashups-in-ECMAScript-5
Caja: https://developers.google.com/caja
SES: http://code.google.com/p/google-caja/wiki/SES
Proxies: http://soft.vub.ac.be/~tvcutsem/invokedynamic/proxies_tutorial
ES6 latest developments: http://wiki.ecmascript.org and [email protected] mailing list
mailto:[email protected]:[email protected]://wiki.ecmascript.org/http://soft.vub.ac.be/~tvcutsem/invokedynamic/proxies_tutorialhttp://soft.vub.ac.be/~tvcutsem/invokedynamic/proxies_tutorialhttp://code.google.com/p/google-caja/wiki/SEShttps://developers.google.com/cajamailto:[email protected]://wiki.ecmascript.org/http://wiki.ecmascript.org/http://soft.vub.ac.be/~tvcutsem/invokedynamic/proxies_tutorialhttp://soft.vub.ac.be/~tvcutsem/invokedynamic/proxies_tutorialhttp://code.google.com/p/google-caja/wiki/SEShttp://code.google.com/p/google-caja/wiki/SEShttps://developers.google.com/cajahttps://developers.google.com/cajahttp://www.infoq.com/presentations/Secure-Mashups-in-ECMAScript-5http://www.infoq.com/presentations/Secure-Mashups-in-ECMAScript-5