{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T00:21:09Z","timestamp":1740097269309,"version":"3.37.3"},"publisher-location":"Cham","reference-count":99,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319430041"},{"type":"electronic","value":"9783319430058"}],"license":[{"start":{"date-parts":[[2016,1,1]],"date-time":"2016-01-01T00:00:00Z","timestamp":1451606400000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2016]]},"DOI":"10.1007\/978-3-319-43005-8_2","type":"book-chapter","created":{"date-parts":[[2016,8,13]],"date-time":"2016-08-13T11:40:59Z","timestamp":1471088459000},"page":"32-86","source":"Crossref","is-referenced-by-count":4,"title":["JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript"],"prefix":"10.1007","author":[{"given":"Steven","family":"Van Acker","sequence":"first","affiliation":[]},{"given":"Andrei","family":"Sabelfeld","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2016,8,14]]},"reference":[{"key":"2_CR1","unstructured":"Galeon. http:\/\/galeon.sourceforge.net\/"},{"key":"2_CR2","unstructured":"JSLint, The JavaScript Code Quality Tool. http:\/\/www.jslint.com\/"},{"key":"2_CR3","unstructured":"Netscape 2.0 reviewed. http:\/\/www.antipope.org\/charlie\/old\/journo\/netscape.html"},{"key":"2_CR4","unstructured":"node.js. http:\/\/nodejs.org\/"},{"key":"2_CR5","unstructured":"QuirksMode - for all your browser quirks. http:\/\/www.quirksmode.org\/"},{"key":"2_CR6","doi-asserted-by":"crossref","unstructured":"Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 1\u201310. ACM (2012)","DOI":"10.1145\/2420950.2420952"},{"key":"2_CR7","unstructured":"Akhawe, D., Saxena, P., Song, D.: Privilege separation in HTML5 applications. In: Kohno, T. (ed.) Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8\u201310, 2012, pp. 429\u2013444. USENIX Association (2012). https:\/\/www.usenix.org\/conference\/usenixsecurity12\/technical-sessions\/presentation\/akhawe"},{"key":"2_CR8","unstructured":"Ustinova, A.: Developers compete at Facebook conference, 23 July 2008. http:\/\/www.sfgate.com\/business\/article\/Developers-compete-at-Facebook-conference-3203144.php"},{"key":"2_CR9","unstructured":"Apache OpenOffice: Writing Office Scripts in JavaScript. https:\/\/www.openoffice.org\/framework\/scripting\/release-0.2\/javascript-devguide.html"},{"issue":"6","key":"2_CR10","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1145\/1516046.1516066","volume":"52","author":"A Barth","year":"2009","unstructured":"Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83\u201391 (2009). http:\/\/doi.acm.org\/10.1145\/1516046.1516066","journal-title":"Commun. ACM"},{"key":"2_CR11","unstructured":"Blink: Blink. http:\/\/www.chromium.org\/blink"},{"key":"2_CR12","unstructured":"BuiltWith: jQuery Usage Statistics. http:\/\/trends.builtwith.com\/javascript\/jQuery"},{"key":"2_CR13","unstructured":"Cao, Y., Li, Z., Rastogi, V., Chen, Y., Wen, X.: Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security. In: Youm, H.Y., Won, Y. (eds.) 7th ACM Symposium on Information, Compuer and Communications Security, ASIACCS 2012, Seoul, Korea, May 2\u20134, 2012, pp. 8\u20139. ACM (2012). http:\/\/doi.acm.org\/10.1145\/2414456.2414460"},{"key":"2_CR14","unstructured":"Cassou, D., Ducasse, S., Petton, N.: SafeJS: Hermetic Sandboxing for JavaScript (2013)"},{"key":"2_CR15","doi-asserted-by":"crossref","unstructured":"Charles Severance: JavaScript: Designing a Language in 10 Days. http:\/\/www.computer.org\/csdl\/mags\/co\/2012\/02\/mco2012020007.html","DOI":"10.1109\/MC.2012.57"},{"key":"2_CR16","unstructured":"Crockford, D.: ADsafe - making JavaScript safe for advertising. http:\/\/adsafe.org\/"},{"key":"2_CR17","unstructured":"De Ryck, P., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards. Technical report. In: Hogben, G., Dekker, M. (eds.) European Network and Information Security Agency (ENISA), July 2011. https:\/\/lirias.kuleuven.be\/handle\/123456789\/317385"},{"key":"2_CR18","unstructured":"Dio Synodinos: ECMAScript 5, Caja and Retrofitting Security, with Mark S. Miller. http:\/\/www.infoq.com\/interviews\/ecmascript-5-caja-retrofitting-security"},{"key":"2_CR19","doi-asserted-by":"crossref","unstructured":"Dong, X., Tran, M., Liang, Z., Jiang, X.: AdSentry: comprehensive and flexible confinement of javascript-based advertisements. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 297\u2013306. ACM, New York (2011). http:\/\/doi.acm.org\/10.1145\/2076732.2076774","DOI":"10.1145\/2076732.2076774"},{"key":"2_CR20","unstructured":"ECMAScript: Harmony Direct Proxies. http:\/\/wiki.ecmascript.org\/doku.php?id=harmony:direct_proxies"},{"key":"2_CR21","unstructured":"Espruino: Espruino - JavaScript for Microcontrollers. http:\/\/www.espruino.com\/"},{"key":"2_CR22","unstructured":"Facebook: Facebook Expands Power of Platform Across the Web and Around the World, 23 July 2008. http:\/\/newsroom.fb.com\/news\/2008\/07\/facebook-expands-power-of-platform-across-the-web-and-around-the-world\/"},{"key":"2_CR23","unstructured":"Facebook: Facebook Platform Migrations (Older). https:\/\/developers.facebook.com\/docs\/apps\/migrations\/completed-changes"},{"key":"2_CR24","unstructured":"Facebook: Facebook Unveils Platform for Developers of Social Applications,24 May 2007. http:\/\/newsroom.fb.com\/news\/2007\/05\/facebook-unveils-platform-for-developers-of-social-applications\/"},{"key":"2_CR25","unstructured":"Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure javascript subsets. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February - 3rd March 2010. The Internet Society (2010). http:\/\/www.isoc.org\/isoc\/conferences\/ndss\/10\/pdf\/21.pdf"},{"key":"2_CR26","unstructured":"Fran Larkin: Platform Updates: Change Log, Third Party IDs and More, 18 December 2010. https:\/\/developers.facebook.com\/blog\/post\/441"},{"key":"2_CR27","unstructured":"GNOME: Gjs: JavaScript Bindings for GNOME. https:\/\/wiki.gnome.org\/action\/show\/Projects\/Gjs?action=show&redirect=Gjs"},{"key":"2_CR28","unstructured":"Google: V8 JavaScript Engine. https:\/\/code.google.com\/p\/v8\/"},{"key":"2_CR29","unstructured":"Google Chrome Developers: Chrome - What are extensions? https:\/\/developer.chrome.com\/extensions"},{"key":"2_CR30","unstructured":"Google Chrome Developers: Native Client. https:\/\/developer.chrome.com\/native-client"},{"key":"2_CR31","unstructured":"Grosskurth, A., Godfrey, M.W.: A case study in architectural analysis: The evolution of the modern web browser. EMSE (2007)"},{"key":"2_CR32","unstructured":"Guarnieri, S., Livshits, V.B.: GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code. In: Monrose, F. (ed.) 18th USENIX Security Symposium, Montreal, Canada, August 10\u201314, 2009, Proceedings, pp. 151\u2013168. USENIX Association (2009). http:\/\/www.usenix.org\/events\/sec09\/tech\/full_papers\/guarnieri.pdf"},{"key":"2_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1007\/978-3-642-14107-2_7","volume-title":"ECOOP 2010 \u2013 Object-Oriented Programming","author":"A Guha","year":"2010","unstructured":"Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of javascript. In: D\u2019Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126\u2013150. Springer, Heidelberg (2010). http:\/\/dx.doi.org\/10.1007\/978-3-642-14107-2_7"},{"key":"2_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"281","DOI":"10.1007\/978-3-642-23644-0_15","volume-title":"Recent Advances in Intrusion Detection","author":"M Heiderich","year":"2011","unstructured":"Heiderich, M., Frosch, T., Holz, T.: IceShield: detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281\u2013300. Springer, Heidelberg (2011). http:\/\/dx.doi.org\/10.1007\/978-3-642-23644-0_15"},{"key":"2_CR35","unstructured":"Ingram, L., Walfish, M.: Treehouse: javascript sandboxes to help web developers help themselves. In: Heiser, G., Hsieh, W.C. (eds.) 2012 USENIX Annual Technical Conference, Boston, MA, USA, June 13\u201315, 2012, pp. 153\u2013164. USENIX Association (2012). https:\/\/www.usenix.org\/conference\/atc12\/technical-sessions\/presentation\/ingram"},{"key":"2_CR36","unstructured":"Jacaranda: Jacaranda. http:\/\/jacaranda.org"},{"key":"2_CR37","unstructured":"Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: ESCUDO: a fine-grained protection model for web browsers. In: 2010 International Conference on Distributed Computing Systems, ICDCS 2010, Genova, Italy, June 21\u201325, 2010, pp. 231\u2013240. IEEE Computer Society (2010). http:\/\/doi.ieeecomputersociety.org\/10.1109\/ICDCS.2010.71"},{"key":"2_CR38","doi-asserted-by":"crossref","unstructured":"Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 601\u2013610. ACM, New York (2007). http:\/\/dx.doi.org\/10.1145\/1242572.1242654","DOI":"10.1145\/1242572.1242654"},{"key":"2_CR39","unstructured":"Joiner, R., Reps, T.W., Jha, S., Dhawan, M., Ganapathy, V.: Efficient runtime-enforcement techniques for policy weaving. In: Cheung, S., Orso, A., Storey, M.D. (eds.) Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (FSE-22), Hong Kong, China, November 16\u201322, 2014, pp. 224\u2013234. ACM (2014). http:\/\/doi.acm.org\/10.1145\/2635868.2635907"},{"key":"2_CR40","unstructured":"jQuery: Update on jQuery.com Compromises. http:\/\/blog.jquery.com\/2014\/09\/24\/update-on-jquery-com-compromises\/"},{"key":"2_CR41","unstructured":"JSLint Error Explanations: Implied eval is evil. Pass a function instead of a string. http:\/\/jslinterrors.com\/implied-eval-is-evil-pass-a-function-instead-of-a-string"},{"key":"2_CR42","unstructured":"Zyp, K.: Secure Mashups with dojox.secure. http:\/\/www.sitepen.com\/blog\/2008\/08\/01\/secure-mashups-with-dojoxsecure\/"},{"key":"2_CR43","unstructured":"Dignan, L.: Developing a PayPal App, 20 February 2011. https:\/\/web.archive.org\/web\/20110220013816\/https:\/\/www.x.com\/docs\/DOC-3082"},{"key":"2_CR44","unstructured":"Dignan, L.: MySpace: Caja JavaScript scrubbing ready for prime time. http:\/\/www.zdnet.com\/article\/myspace-caja-javascript-scrubbing-ready-for-prime-time\/"},{"key":"2_CR45","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"231","DOI":"10.1007\/978-3-642-21599-5_17","volume-title":"Trust and Trustworthy Computing","author":"T Luo","year":"2011","unstructured":"Luo, T., Du, W.: Contego: capability-based access control for web browsers - (short paper). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 231\u2013238. Springer, Heidelberg (2011). http:\/\/dx.doi.org\/10.1007\/978-3-642-21599-5_17"},{"key":"2_CR46","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"505","DOI":"10.1007\/978-3-642-04444-1_31","volume-title":"Computer Security \u2013 ESORICS 2009","author":"S Maffeis","year":"2009","unstructured":"Maffeis, S., Mitchell, J.C., Taly, A.: Isolating javascript with filters, rewriting, and wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505\u2013522. Springer, Heidelberg (2009). http:\/\/dx.doi.org\/10.1007\/978-3-642-04444-1_31"},{"key":"2_CR47","unstructured":"Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA, July 8\u201310, 2009, pp. 77\u201391. IEEE Computer Society (2009). http:\/\/doi.ieeecomputersociety.org\/10.1109\/CSF.2009.11"},{"key":"2_CR48","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1007\/978-3-642-27937-9_17","volume-title":"Information Security Technology for Applications","author":"J Magazinius","year":"2012","unstructured":"Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: Aura, T., J\u00e4rvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 239\u2013255. Springer, Heidelberg (2012). http:\/\/dx.doi.org\/10.1007\/978-3-642-27937-9_17"},{"key":"2_CR49","unstructured":"Maxthon: Maxthon Cloud Browser. http:\/\/www.maxthon.com\/"},{"key":"2_CR50","unstructured":"Meyerovich, L.A., Felt, A.P., Miller, M.S.: Object views: fine-grained sharing in browsers (2010). http:\/\/doi.acm.org\/10.1145\/1772690.1772764"},{"key":"2_CR51","unstructured":"Meyerovich, L.A., Livshits, V.B.: ConScript: specifying and enforcing fine-grained security policies for javascript in the browser. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, 16\u201319 May 2010, Berleley\/Oakland, California, USA, pp. 481\u2013496. IEEE Computer Society (2010). http:\/\/doi.ieeecomputersociety.org\/10.1109\/SP.2010.36"},{"key":"2_CR52","doi-asserted-by":"crossref","unstructured":"Mickens, J.: Pivot: fast, synchronous mashup isolation using generator chains. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18\u201321, 2014. pp. 261\u2013275. IEEE Computer Society (2014). http:\/\/dx.doi.org\/10.1109\/SP.2014.24","DOI":"10.1109\/SP.2014.24"},{"key":"2_CR53","unstructured":"Mickens, J., Finifter, M.: Jigsaw: rfficient, low-effort mashup isolation. In: Presented as part of the 3rd USENIX Conference on Web Application Development (WebApps 2012), pp. 13\u201325. USENIX, Boston (2012). https:\/\/www.usenix.org\/conference\/webapps12\/technical-sessions\/presentation\/mickens"},{"key":"2_CR54","unstructured":"Microsoft: Internet Explorer Architecture. http:\/\/msdn.microsoft.com\/en-us\/library\/aa741312(v=vs.85).aspx"},{"key":"2_CR55","unstructured":"Microsoft: Microsoft Internet Security and Acceleration (ISA) Server 2004. http:\/\/technet.microsoft.com\/en-us\/library\/cc302436.aspx"},{"key":"2_CR56","unstructured":"Microsoft: Microsoft Security Bulletin MS04-040 - Critical. https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms04-040.aspx"},{"key":"2_CR57","unstructured":"Microsoft: Mitigating Cross-site Scripting With HTTP-only Cookies. http:\/\/msdn.microsoft.com\/en-us\/library\/ms533046(VS.85).aspx"},{"key":"2_CR58","unstructured":"Microsoft Live Labs: Live Labs Websandbox. http:\/\/websandbox.org"},{"key":"2_CR59","unstructured":"Mihai Bazon: UglifyJS. https:\/\/github.com\/mishoo\/UglifyJS\/"},{"key":"2_CR60","unstructured":"Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008"},{"key":"2_CR61","unstructured":"Miller, M.S.: Robust composition: towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD, USA (2006). aAI3245526"},{"key":"2_CR62","unstructured":"MITRE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition. http:\/\/cwe.mitre.org\/data\/definitions\/367.html"},{"key":"2_CR63","unstructured":"MongoDB, Inc.: MongoDB. http:\/\/www.mongodb.org\/"},{"key":"2_CR64","unstructured":"Mozilla: Gecko. https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Gecko"},{"key":"2_CR65","unstructured":"Mozilla: JavaScript Strict Mode Reference. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Reference\/Strict_mode"},{"key":"2_CR66","unstructured":"Mozilla: MDN - Building an extension. https:\/\/developer.mozilla.org\/en\/docs\/Building_an_Extension"},{"key":"2_CR67","unstructured":"Mozilla The Narcissus meta-circular JavaScript interpreter. https:\/\/github.com\/mozilla\/narcissus"},{"key":"2_CR68","unstructured":"Mozilla: The \"with\" statement. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript\/Reference\/Statements\/with"},{"key":"2_CR69","unstructured":"Namita Gupta: Facebook Platform Roadmap Update, 19 August 2010. https:\/\/developers.facebook.com\/blog\/post\/402"},{"key":"2_CR70","unstructured":"Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) the ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, October 16\u201318, 2012, pp. 736\u2013747. ACM (2012). http:\/\/doi.acm.org\/10.1145\/2382196.2382274"},{"key":"2_CR71","unstructured":"Opera: Opera Browser. http:\/\/www.opera.com"},{"key":"2_CR72","doi-asserted-by":"crossref","unstructured":"Patil, K., Dong, X., Li, X., Liang, Z., Jiang, X.: Towards fine-grained access control in javascript contexts. In: 2011 International Conference on Distributed Computing Systems, ICDCS 2011, Minneapolis, Minnesota, USA, June 20\u201324, 2011, pp. 720\u2013729. IEEE Computer Society (2011). http:\/\/dx.doi.org\/10.1109\/ICDCS.2011.87","DOI":"10.1109\/ICDCS.2011.87"},{"key":"2_CR73","doi-asserted-by":"crossref","unstructured":"Phung, P.H., Desmet, L.: A two-tier sandbox architecture for untrusted JavaScript. In: JSTools 2012, Proceedings of the Workshop on JavaScript Tools, Beijing, 13 June 2012, pp. 1\u201310 (2012)","DOI":"10.1145\/2307720.2307721"},{"key":"2_CR74","doi-asserted-by":"crossref","unstructured":"Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 47\u201360. ACM, New York (2009). http:\/\/doi.acm.org\/10.1145\/1533057.1533067","DOI":"10.1145\/1533057.1533067"},{"key":"2_CR75","unstructured":"Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: type-based verification of javascript sandboxing. In: 20th USENIX Security Symposium, San Francisco, CA, USA, August 8\u201312, 2011, Proceedings. USENIX Association (2011). http:\/\/static.usenix.org\/events\/sec11\/tech\/full_papers\/Politz.pdf"},{"key":"2_CR76","unstructured":"Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: vulnerability-driven filtering of dynamic HTML. In: OSDI 2006: Proceedings of the 7th symposium on Operating Systems Design and Implementation, pp. 61\u201374. USENIX Association, Berkeley (2006). http:\/\/citeseerx.ist.psu.edu\/viewdoc\/summary?doi=10.1.1.85.1661"},{"key":"2_CR77","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1007\/978-3-642-22655-7_4","volume-title":"ECOOP 2011 \u2013 Object-Oriented Programming","author":"G Richards","year":"2011","unstructured":"Richards, G., Hammer, C., Burg, B., Vitek, J.: The eval that men do: large-scale study of the use of eval in javascript applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52\u201378. Springer, Heidelberg (2011). http:\/\/dx.doi.org\/10.1007\/978-3-642-22655-7_4"},{"key":"2_CR78","unstructured":"Sam Pullara: Introducing Y!OS 1.0 - live today! 28 October 2008. https:\/\/web.archive.org\/web\/20081029191209\/http:\/\/developer.yahoo.net\/blog\/archives\/2008\/10\/yos_10_launch.html"},{"key":"2_CR79","unstructured":"Sandra Liu Huang: Platform Updates: Promotion Policies, Facepile and More, 4 December 2010. https:\/\/developers.facebook.com\/blog\/post\/2010\/12\/03\/platform-updates--promotion-policies--facepile-and-more\/"},{"key":"2_CR80","unstructured":"Mozilla SpiderMonkey. https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Projects\/SpiderMonkey"},{"key":"2_CR81","unstructured":"Stack Exchange (Jasvir Nagra): Why hasn\u2019t Caja been popular? http:\/\/programmers.stackexchange.com\/a\/147014"},{"key":"2_CR82","unstructured":"Stack Overflow (Kevin Reid): Uses of Google Caja. http:\/\/stackoverflow.com\/questions\/16054597\/uses-of-google-caja"},{"key":"2_CR83","doi-asserted-by":"crossref","unstructured":"Taly, A., Erlingsson, U., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated analysis of security-critical javascript APIs. In: IEEE Symposium on Security and Privacy, pp. 363\u2013378 (2011)","DOI":"10.1109\/SP.2011.39"},{"key":"2_CR84","unstructured":"Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium, Washington, DC, USA, August 11\u201313, 2010, Proceedings, pp. 371\u2013388. USENIX Association (2010). http:\/\/www.usenix.org\/events\/sec10\/tech\/full_papers\/TerLouw.pdf"},{"key":"2_CR85","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1007\/978-3-642-41488-6_5","volume-title":"Secure IT Systems","author":"M Ter Louw","year":"2013","unstructured":"Ter Louw, M., Phung, P.H., Krishnamurti, R., Venkatakrishnan, V.N.: SafeScript: javascript transformation for policy enforcement. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 67\u201383. Springer, Heidelberg (2013). http:\/\/dx.doi.org\/10.1007\/978-3-642-41488-6_5"},{"key":"2_CR86","doi-asserted-by":"crossref","unstructured":"Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers (2009). http:\/\/dx.doi.org\/10.1109\/SP.2009.33","DOI":"10.1109\/SP.2009.33"},{"key":"2_CR87","unstructured":"Tessel: Tessel 2. https:\/\/tessel.io"},{"key":"2_CR88","unstructured":"The FaceBook Team: FBJS. http:\/\/wiki.developers.facebook.com\/index.php\/FBJS"},{"key":"2_CR89","unstructured":"Troy Hunt: How I got XSS\u2019d by my ad network. http:\/\/www.troyhunt.com\/2015\/07\/how-i-got-xssd-by-my-ad-network.html"},{"key":"2_CR90","unstructured":"Twitter: How to embed Twitter timelines on your website. https:\/\/blog.twitter.com\/2012\/embedded-timelines-howto"},{"key":"2_CR91","unstructured":"Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Zakon, R.H., McDermott, J.P., Locasto, M.E. (eds.) Twenty-Seventh Annual Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, 5\u20139 December 2011, pp. 307\u2013316. ACM (2011). http:\/\/doi.acm.org\/10.1145\/2076732.2076775"},{"key":"2_CR92","unstructured":"W3C: Same Origin Policy - Web Security. http:\/\/www.w3.org\/Security\/wiki\/Same_Origin_Policy"},{"key":"2_CR93","unstructured":"W3C: W3C - Web Workers. http:\/\/www.w3.org\/TR\/workers\/"},{"key":"2_CR94","unstructured":"W3C: W3C Standards and drafts - Cross-Origin Resource Sharing. http:\/\/www.w3.org\/TR\/cors\/"},{"key":"2_CR95","unstructured":"W3C: XML Path Language (XPath) 2.0. http:\/\/www.w3.org\/TR\/xpath20\/"},{"key":"2_CR96","unstructured":"W3Techs: Usage of JavaScript for websites. http:\/\/w3techs.com\/technologies\/details\/cp-javascript\/all\/all"},{"key":"2_CR97","unstructured":"Webkit Blog - David Carson: Android uses WebKit. https:\/\/www.webkit.org\/blog\/142\/android-uses-webkit\/"},{"key":"2_CR98","unstructured":"WHATWG: HTML Living Standard - Timers. https:\/\/html.spec.whatwg.org\/multipage\/webappapis.html#timers"},{"key":"2_CR99","doi-asserted-by":"crossref","unstructured":"Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2007, pp. 237\u2013249. ACM, New York (2007). http:\/\/doi.acm.org\/10.1145\/1190216.1190252","DOI":"10.1145\/1190216.1190252"}],"container-title":["Lecture Notes in Computer Science","Foundations of Security Analysis and Design VIII"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-43005-8_2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,9,12]],"date-time":"2019-09-12T10:48:02Z","timestamp":1568285282000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-43005-8_2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016]]},"ISBN":["9783319430041","9783319430058"],"references-count":99,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-43005-8_2","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2016]]}}}