extensions for web-scale use. The remaining extension
points are either limited to safe, narrow .Net interfaces
or are written in HTML and JS and inherently subject to
the SOP. Sanitizing potentially unsafe .Net extensions to
preserve the SOP is itself an interesting research problem.
Possible approaches include using .Net AppDomains to
segregate extensions from the main DOM, or static analy-
ses to exclude unsafe accesses to DOM internals.
5 Future work
We have focused so far on the abilities extensions have
within our system. However, the more powerful exten-
sions become, the more likely they are to conflict with one
another. Certain extension points are easily amenable to
conflict detection; for example, two parser tag extensions
cannot both contribute the same new tag name. However,
in previous work we have shown that defining conflicts
precisely between overlay extensions, or between JS run-
time extensions, is a more challenging task [9] .
Assuming a suitable notion of extension conflict exists
for each extension type, it falls to the extension loading
mechanism to ensure that, whenever possible, conflicting
extensions are not loaded. In some ways this is very sim-
ilar to the job of a compile-time linker, ensuring that all
modules are compatible before producing the executable
image. Such load-time prevention gives users a much bet-
ter experience than in current browsers, where problems
never surface until runtime. However not all conflicts are
detectable statically, and so some runtime mechanism is
still needed to detect conflict, blame the offending exten-
sion, and prevent the conflict from recurring.
6 Conclusion
We presented C3, a platform implementing of HTML,
CSS and JS, and explored how its design was tuned for
easy reconfiguration and runtime extension. We presented
several motivating examples for each extension point,
and confirmed that our design is at least as expressive as
existing extension systems, supporting current extensions
as well as new ones not previously possible.
References
[1]
BARTH, A., FELT, A. P., SAXENA, P., AND BOODMAN, A.
Protecting browsers from extension vulnerabilities. In NDSS
(2010).
[2]
BARTH, A., WEINBERGER, J., AND SONG, D. Cross-origin
JavaScript capability leaks: Detection, exploitation, and defense.
In SSYM’09: Proceedings of the 18th conference on USENIX secu-
rity symposium (Berkeley, CA, USA, 2009), USENIX Association,
pp. 187–198.
[3]
BEBENITA, M., BRANDNER, F., FAHNDRICH, M., LOGOZZO,
F., SCHULTE, W., TILLMANN, N., AND VENTER, H. SPUR:
A trace-based JIT compiler for CIL. In OOPSLA/SPLASH ’10:
Proceedings of the 25th ACM SIGPLAN conference on Object-
Oriented Programming Systems, Languages and Applications
(New York, NY, USA, 2010), ACM.
[4]
F
¨
AHNDRICH, M., BARNETT, M., AND LOGOZZO, F. Embedded
contract languages. In SAC ’10: Proceedings of the 2010 ACM
Symposium on Applied Computing (New York, NY, USA, 2010),
ACM, pp. 2103–2110.
[5]
FREDRIKSON, M., AND LIVSHITS, B. RePriv: Re-envisioning
in-browser privacy. Tech. rep., Microsoft Research, Aug. 2010.
[6]
GUHA, A., FREDRIKSON, M., LIVSHITS, B., AND SWAMY, N.
Verified security for browser extensions. MSR-TR to be available
11/01, September 2010.
[7]
JACKSON, C., AND BARTH, A. Beware of finer-grained origins.
In In Web 2.0 Security and Privacy (W2SP 2008) (2008).
[8]
JONES, C. G., LIU, R., MEYEROVICH, L., ASANOVIC, K.,
AND BOD
´
IK, R. Parallelizing the Web Browser. In HotPar ’09:
Proceedings of the Workshop on Hot Topics in Parallelism (March
2009), USENIX.
[9]
LERNER, B. S., AND GROSSMAN, D. Language support for
extensible web browsers. In APLWACA ’10: Proceedings of the
2010 Workshop on Analysis and Programming Languages for Web
Applications and Cloud Applications (New York, NY, USA, 2010),
ACM, pp. 39–43.
[10]
LERNER, B. S., VENTER, H., AND GROSSMAN, D. Support-
ing dynamic, third-party code customizations in JavaScript using
aspects. In OOPSLA ’10: Companion of the 25th annual ACM
SIGPLAN conference on Object-oriented programming, systems,
languages, and applications (New York, NY, USA, 2010), ACM.
[11]
MEYEROVICH, L. A., AND BODIK, R. Fast and parallel webpage
layout. In Proceedings of the 19th International Conference on
the World Wide Web (2010), WWW ’10, pp. 711–720.
[12]
RICHARDSON, D. W., AND GRIBBLE, S. D. Maverick: Pro-
viding web applications with safe and flexible access to local
devices. In Proceedings of the 2011 USENIX Conference on Web
Application Development (June 2011), WebApps’11.
[13] RUDERMAN, J. Same origin policy for javascript, Oct. 2010.
[14]
SONS, K., KLEIN, F., RUBINSTEIN, D., BYELOZYOROV, S.,
AND SLUSALLEK, P. XML3D: interactive 3d graphics for the
web. In Web3D ’10: Proceedings of the 15th International Confer-
ence on Web 3D Technology (New York, NY, USA, 2010), ACM,
pp. 175–184.
[15]
WAGNER, G., GAL, A., WIMMER, C., EICH, B., AND FRANZ,
M. Compartmental memory management in a modern web
browser. In Proceedings of the International Symposium on Mem-
ory Management (June 2011), ACM. To appear.
[16]
WENDLANDT, D., ANDERSEN, D. G., AND PERRIG, A. Per-
spectives: Improving ssh-style host authentication with multi-path
probing. In Proceedings of the USENIX Annual Technical Confer-
ence (Usenix ATC) (June 2008).
[17]
YEE, B., SEHR, D., DARDYK, G., CHEN, J., MUTH, R., OR-
MANDY, T., OKASAKA, S., NARULA, N., AND FULLAGAR, N.
Native client: A sandbox for portable, untrusted x86 native code.
In Security and Privacy, 2009 30th IEEE Symposium on (May
2009), pp. 79 –93.
13