Making JavaScript Safe for Advertising.

JavaScript, the programming language of the web browser, is not a secure language. Any script in a page has intimate access to all of the information and relationships of the page.

ADsafe makes it safe to put guest code (such as third party scripted advertising or widgets) on any web page. ADsafe defines a subset of JavaScript that is powerful enough to allow guest code to perform valuable interactions, while at the same time preventing malicious or accidental damage or intrusion. The ADsafe subset can be verified mechanically by tools like JSLint so that no human inspection is necessary to review guest code for safety. The ADsafe subset also enforces good coding practices, increasing the likelihood that guest code will run correctly.

The ADsafe subset blocks a script from accessing any global variables or from directly accessing the Document Object Model or any of its elements. Instead, ADsafe gives the script access to an ADSAFE object that is provided by the page's server, giving indirect access to the guest code's DOM elements and other page services.

ADsafe does not modify scripts. It will not make scripts bigger or slower or alter their behavior. ADsafe makes it possible to quickly and reliably determine that script is safe for placement on a site's pages.

How ADsafe Works.

ADsafe removes features from JavaScript that are either unsafe or grant uncontrolled access to unsafe components or that diminsh code quality. The removed features include

  • this
  • Access to global variables. (Limited access to Object, Array, Number, String, and Math is allowed.)
  • Use of eval in any of its forms.
  • Use of the with statement.
  • Use of these names in dot expressions: apply arguments call callee caller constructor eval prototype this unwatch valueOf watch
  • Use of names starting with _.
  • Use of the [ ] subscript operator except when the subscript is a numeric literal.
  • Use of the == and != operators.

All other features of the language, including the methods of the standard types, are available without limitation. ADsafe provides in place of the excluded features an ADSAFE object that contains methods that restore the functionality in a safe way. For example, ADSAFE.get and ADSAFE.set take the place of the subscript operator.

var ADSAFE = function () {

    var error = function () {
        throw {
            name: "ADsafe",
            message: "ADsafe violation."
        };
    };

    var reject = function (object, name) {
        return object === window || typeof object !== 'object' || 
                (typeof name !== 'number' && 
                (typeof name !== 'string' || name.charAt(0) == '_'));
    };

    return {
        get: function (object, name) {
            var value;
            if (!reject(object, name) && object.hasOwnProperty(name)) {
                value = object[name];
                if (typeof value !== 'function' && value !== window) {
                    return value;
                }
            }
            error();
        },

        set: function (object, name, value) {
            if (!reject(object, name) && typeof value !== 'function') {
                object[name] = value;
                return;
            }
            error();
        }

// Additional functions can be added here.

    };
}();

The services provided through ADSAFE methods include communication with the network and manipulation of the DOM. The ADSAFE methods are provided by the page to give the modules restricted access to essential services. It is not safe to give a module direct access to any DOM node because access to any DOM node gives access to the document object, which gives access to the entire tree and to the network. It is safe to give a module indirect access to the DOM through methods that assure that no capability leakage occurs..

In order for a module to be passed by ADsafe, it must make use of no global variables except the ADSAFE object. It must define no global variables, and it must not contain any code that could give the guest code access to the window object.

(function () {

/*
    Define here the variables and functions of the module.
    Use the ADSAFE object to access the DOM and to register
    for events and other services.
*/

})();

Restrictions

All files and components must be encoded in UTF-8 and be properly identified as such.

Untrusted code will be able to indirectly call the window.onerror handler. The handler must be coded such that being called by untrusted code will cause no breech.