{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T14:43:46Z","timestamp":1775054626593,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":49,"publisher":"ACM","license":[{"start":{"date-parts":[[2019,11,15]],"date-time":"2019-11-15T00:00:00Z","timestamp":1573776000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"German Federal Ministry of Education and Research and the Hessian Ministry of Science and the Arts","award":["CRISP"],"award-info":[{"award-number":["CRISP"]}]},{"name":"German Research Foundation","award":["ConcSys, Perf4JS"],"award-info":[{"award-number":["ConcSys, Perf4JS"]}]},{"name":"Swedish Foundation for Strategic Research (SSF) and Swedish Research Council (VR)"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2019,11,15]]},"DOI":"10.1145\/3338504.3357339","type":"proceedings-article","created":{"date-parts":[[2019,11,7]],"date-time":"2019-11-07T19:43:22Z","timestamp":1573155802000},"page":"45-59","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":19,"title":["An Empirical Study of Information Flows in Real-World JavaScript"],"prefix":"10.1145","author":[{"given":"Cristian-Alexandru","family":"Staicu","sequence":"first","affiliation":[{"name":"TU Darmstadt, Darmstadt, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"Schoepe","sequence":"additional","affiliation":[{"name":"Chalmers University of Technology, Gothenburg, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Musard","family":"Balliu","sequence":"additional","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michael","family":"Pradel","sequence":"additional","affiliation":[{"name":"TU Darmstadt, Darmstadt, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andrei","family":"Sabelfeld","sequence":"additional","affiliation":[{"name":"Chalmers University of Technology, Gothenburg, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2019,11,15]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Accessed: 2018-02-08. Babel JavaScript compiler. https:\/\/babeljs.io.  Accessed: 2018-02-08. Babel JavaScript compiler. https:\/\/babeljs.io."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660347"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516674"},{"key":"e_1_3_2_1_4_1","volume-title":"Workshop on Programming Languages and Analysis for Security (PLAS","author":"Thomas","year":"2009","unstructured":"Thomas H. Austin and Cormac Flanagan. 2009. Efficient purely-dynamic information flow analysis . In Workshop on Programming Languages and Analysis for Security (PLAS 2009 ). ACM, 113--124. Thomas H. Austin and Cormac Flanagan. 2009. Efficient purely-dynamic information flow analysis. In Workshop on Programming Languages and Analysis for Security (PLAS 2009). ACM, 113--124."},{"key":"e_1_3_2_1_5_1","volume-title":"Workshop on Programming Languages and Analysis for Security (PLAS","author":"Thomas","year":"2010","unstructured":"Thomas H. Austin and Cormac Flanagan. 2010. Permissive dynamic information flow analysis . In Workshop on Programming Languages and Analysis for Security (PLAS 2010 ). ACM, 3. Thomas H. Austin and Cormac Flanagan. 2010. Permissive dynamic information flow analysis. In Workshop on Programming Languages and Analysis for Security (PLAS 2010). ACM, 3."},{"key":"e_1_3_2_1_6_1","volume-title":"Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '12)","author":"Thomas","unstructured":"Thomas H. Austin and Cormac Flanagan. 2012. Multiple Facets for Dynamic Information Flow . In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '12) . 165--178. Thomas H. Austin and Cormac Flanagan. 2012. Multiple Facets for Dynamic Information Flow. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '12). 165--178."},{"key":"e_1_3_2_1_7_1","volume-title":"Oslo","author":"Balliu Musard","year":"2017","unstructured":"Musard Balliu , Daniel Schoepe , and Andrei Sabelfeld . 2017 . We Are Family: Relating Information-Flow Trackers. In Computer Security - ESORICS 2017 - 22nd European Symposium on Research in Computer Security , Oslo , Norway, September 11-15, 2017, Proceedings, Part I. 124--145. Musard Balliu, Daniel Schoepe, and Andrei Sabelfeld. 2017. We Are Family: Relating Information-Flow Trackers. In Computer Security - ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part I. 124--145."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1831708.1831711"},{"key":"e_1_3_2_1_9_1","volume-title":"Run-time Monitoring and Formal Analysis of Information Flows in Chromium. In Network and Distributed System Security Symposium (NDSS","author":"Bauer Lujo","year":"2015","unstructured":"Lujo Bauer , Shaoying Cai , Limin Jia , Timothy Passaro , Michael Stroucken , and Yuan Tian . 2015 . Run-time Monitoring and Formal Analysis of Information Flows in Chromium. In Network and Distributed System Security Symposium (NDSS 2015). The Internet Society. Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian. 2015. Run-time Monitoring and Formal Analysis of Information Flows in Chromium. In Network and Distributed System Security Symposium (NDSS 2015). The Internet Society."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-54792-8_9"},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings, Part I. 242--259","author":"Bichhawat Abhishek","year":"2017","unstructured":"Abhishek Bichhawat , Vineet Rajani , Jinank Jain , Deepak Garg , and Christian Hammer . 2017 . WebPol: Fine-Grained Information Flow Policies for Web Browsers. In Computer Security - ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11--15, 2017 , Proceedings, Part I. 242--259 . Abhishek Bichhawat, Vineet Rajani, Jinank Jain, Deepak Garg, and Christian Hammer. 2017. WebPol: Fine-Grained Information Flow Policies for Web Browsers. In Computer Security - ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11--15, 2017, Proceedings, Part I. 242--259."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33167-1_4"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.37"},{"key":"e_1_3_2_1_14_1","volume-title":"Inlined Information Flow Monitoring for JavaScript. In ACM Conference on Computer and Communications Security (CCS","author":"Chudnov Andrey","year":"2015","unstructured":"Andrey Chudnov and David A. Naumann . 2015 . Inlined Information Flow Monitoring for JavaScript. In ACM Conference on Computer and Communications Security (CCS 2015 ). ACM, 629--643. Andrey Chudnov and David A. Naumann. 2015. Inlined Information Flow Monitoring for JavaScript. In ACM Conference on Computer and Communications Security (CCS 2015). ACM, 629--643."},{"key":"e_1_3_2_1_15_1","volume-title":"Programming Language Design and Implementation (PLDI","author":"Chugh Ravi","year":"2009","unstructured":"Ravi Chugh , Jeffrey A. Meister , Ranjit Jhala , and Sorin Lerner . 2009. Staged information flow for JavaScript . In Programming Language Design and Implementation (PLDI 2009 ). ACM , 50--62. Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. 2009. Staged information flow for JavaScript. In Programming Language Design and Implementation (PLDI 2009). ACM, 50--62."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273463.1273490"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382275"},{"key":"e_1_3_2_1_18_1","volume-title":"Cryptography and Data Security","author":"Denning Dorothy","unstructured":"Dorothy Denning . 1982. Cryptography and Data Security . Addison-Wesley Longman Publishing Co., Inc. , Boston, MA, USA . Dorothy Denning. 1982. Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/360051.360056"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/359636.359712"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.43"},{"key":"e_1_3_2_1_22_1","volume-title":"The Matter of Heartbleed. In Internet Measurement Conference (IMC). 475--488","author":"Durumeric Zakir","year":"2014","unstructured":"Zakir Durumeric , James Kasten , David Adrian , J. Alex Halderman , Michael Bailey , Frank Li , Nicholas Weaver , Johanna Amann , Jethro Beekman , Mathias Payer , and Vern Paxson . 2014 . The Matter of Heartbleed. In Internet Measurement Conference (IMC). 475--488 . Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and Vern Paxson. 2014. The Matter of Heartbleed. In Internet Measurement Conference (IMC). 475--488."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1093\/comjnl\/17.2.143"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"J. A. Goguen and J. Meseguer. 1982. Security Policies and Security Models.. In S&P.  J. A. Goguen and J. Meseguer. 1982. Security Policies and Security Models.. In S&P.","DOI":"10.1109\/SP.1982.10014"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2554850.2554909"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2012.19"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866339"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"crossref","unstructured":"D. Jang R. Jhala S. Lerner and H. Shacham. 2010b. An empirical study of privacy-violating information flows in JavaScript web applications. In CCS.  D. Jang R. Jhala S. Lerner and H. Shacham. 2010b. An empirical study of privacy-violating information flows in JavaScript web applications. In CCS.","DOI":"10.1145\/1866307.1866339"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-007-0076-7"},{"key":"e_1_3_2_1_30_1","volume-title":"DTA: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In NDSS.","author":"Kang Min Gyung","year":"2011","unstructured":"Min Gyung Kang , Stephen McCamant , Pongsin Poosankam , and Dawn Song . 2011 . DTA: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In NDSS. Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. 2011. DTA: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In NDSS."},{"key":"e_1_3_2_1_31_1","volume-title":"ISC (Lecture Notes in Computer Science)","author":"Kerschbaumer Christoph","unstructured":"Christoph Kerschbaumer , Eric Hennigan , Per Larsen , Stefan Brunthaler , and Michael Franz . 2013. CrowdFlow: Efficient Information Flow Security . In ISC (Lecture Notes in Computer Science) , Vol. 7807 . Springer , 321--337. Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013. CrowdFlow: Efficient Information Flow Security. In ISC (Lecture Notes in Computer Science), Vol. 7807. Springer, 321--337."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-89862-7_4"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1571629.1571631"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/363516.363526"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.43"},{"key":"e_1_3_2_1_38_1","unstructured":"A. Russo A. Sabelfeld and K. Li. 2009. Implicit flows in malicious and nonmalicious code. Marktoberdorf Summer School (IOS Press) (2009).  A. Russo A. Sabelfeld and K. Li. 2009. Implicit flows in malicious and nonmalicious code. Marktoberdorf Summer School (IOS Press) (2009)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2002.806121"},{"key":"e_1_3_2_1_40_1","volume-title":"FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Network and Distributed System Security Symposium (NDSS","author":"Saxena Prateek","year":"2010","unstructured":"Prateek Saxena , Steve Hanna , Pongsin Poosankam , and Dawn Song . 2010 . FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Network and Distributed System Security Symposium (NDSS 2010). The Internet Society. Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Network and Distributed System Security Symposium (NDSS 2010). The Internet Society."},{"key":"e_1_3_2_1_41_1","volume-title":"Explicit Secrecy: A Policy for Taint Tracking. In Euro S&P.","author":"Schoepe D.","year":"2016","unstructured":"D. Schoepe , M. Balliu , B. C. Pierce , and A. Sabelfeld . 2016 . Explicit Secrecy: A Policy for Taint Tracking. In Euro S&P. D. Schoepe, M. Balliu, B. C. Pierce, and A. Sabelfeld. 2016. Explicit Secrecy: A Policy for Taint Tracking. In Euro S&P."},{"key":"e_1_3_2_1_42_1","volume-title":"All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)","author":"Schwartz Edward J.","unstructured":"Edward J. Schwartz , Thanassis Avgerinos , and David Brumley . 2010. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) . In IEEE S &P. Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In IEEE S&P."},{"key":"e_1_3_2_1_43_1","volume-title":"Jalangi: A Selective Record-Replay and Dynamic Analysis Framework for JavaScript. In European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE","author":"Sen Koushik","year":"2013","unstructured":"Koushik Sen , Swaroop Kalasapur , Tasneem Brutch , and Simon Gibbs . 2013 . Jalangi: A Selective Record-Replay and Dynamic Analysis Framework for JavaScript. In European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE 2013). ACM, 488--498. Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: A Selective Record-Replay and Dynamic Analysis Framework for JavaScript. In European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE 2013). ACM, 488--498."},{"key":"e_1_3_2_1_44_1","volume-title":"Web Accessible Resources. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY 2017","author":"Discovering Browser","year":"2017","unstructured":"Discovering Browser Extensions via Web Accessible Resources. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY 2017 , Scottsdale, AZ, USA , March 22-24, 2017 . 329--336. Discovering Browser Extensions via Web Accessible Resources. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY 2017, Scottsdale, AZ, USA, March 22-24, 2017. 329--336."},{"key":"e_1_3_2_1_45_1","volume-title":"Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In USENIX Security Symposium. 361--376","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu and Michael Pradel . 2018 . Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In USENIX Security Symposium. 361--376 . Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In USENIX Security Symposium. 361--376."},{"key":"e_1_3_2_1_46_1","unstructured":"Cristian-Alexandru Staicu Michael Pradel and Ben Livshits. 2018. Understanding and Automatically Preventing Injection Attacks on Node.js. In NDSS.  Cristian-Alexandru Staicu Michael Pradel and Ben Livshits. 2018. Understanding and Automatically Preventing Injection Attacks on Node.js. In NDSS."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"crossref","unstructured":"Omer Tripp Pietro Ferrara and Marco Pistoia. 2014. Hybrid Security Analysis of Web JavaScript Code via Dynamic Partial Evaluation. In ISSTA.  Omer Tripp Pietro Ferrara and Marco Pistoia. 2014. Hybrid Security Analysis of Web JavaScript Code via Dynamic Partial Evaluation. In ISSTA.","DOI":"10.1145\/2610384.2610385"},{"key":"e_1_3_2_1_48_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium, NDSS 2007","author":"Vogt Philipp","year":"2007","unstructured":"Philipp Vogt , Florian Nentwich , Nenad Jovanovic , Engin Kirda , Christopher Kr\u00fc gel, and Giovanni Vigna . 2007 . Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis . In Proceedings of the Network and Distributed System Security Symposium, NDSS 2007 , San Diego, California, USA, 28th February - 2nd March 2007. Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kr\u00fc gel, and Giovanni Vigna. 2007. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2007, San Diego, California, USA, 28th February - 2nd March 2007."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.23"}],"event":{"name":"CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security","location":"London United Kingdom","acronym":"CCS '19","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3338504.3357339","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3338504.3357339","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:12:49Z","timestamp":1750201969000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3338504.3357339"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,15]]},"references-count":49,"alternative-id":["10.1145\/3338504.3357339","10.1145\/3338504"],"URL":"https:\/\/doi.org\/10.1145\/3338504.3357339","relation":{},"subject":[],"published":{"date-parts":[[2019,11,15]]},"assertion":[{"value":"2019-11-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}