Making JavaScript Safe for Advertising.

JavaScript, the programming language of the web browser, is not a secure language. Any script in a page has intimate access to all of the information and relationships of the page. This makes use of mashups and scripted advertising unacceptably risky.

ADsafe makes it safe to put guest code (such as third party scripted advertising or widgets) on a web page. ADsafedefines a subset of JavaScript that is powerful enough to allow guest code to perform valuable interactions, while at the same time preventing malicious or accidental damage or intrusion. The ADsafe subset can be verified mechanically by tools like JSLint so that no human inspection is necessary to review guest code for safety. The ADsafe subset also enforces good coding practices, increasing the likelihood that guest code will run correctly.

The ADsafe subset blocks a script from accessing any global variables or from directly accessing the Document Object Model or any of its elements. Instead, ADsafe gives the script access to an ADSAFE object that is provided by the page’s server, giving indirect access to the guest code’s DOM elements and other page services.

ADsafe does not modify scripts. It will not make scripts bigger or slower or alter their behavior. ADsafe makes it possible to quickly and reliably determine that script is safe for placement on a site’s pages.

And because ADsafe verification is not destructive, it can be performed at every stage of the deployment pipeline, or even after delivery as part of compliance testing.

How ADsafe Works.

ADsafe removes features from JavaScript that are either unsafe or grant uncontrolled access to unsafe browser components or that contribute to poor code quality. The removed features include

  • Global variables
    • ADsafe‘s object capability model prohibits the use of most global variables. Limited access to Array,Boolean, Number, String, and Math is allowed.
  • this
    • If a method is called as a function, this is bound to the global object. Since ADsafe needs to restrict access to the global object, it must prohibit the use of this in guest code.
  • arguments
    • Access to the arguments pseudo-array is not allowed.
  • eval
    • The eval function provides access to the global object.
  • with statement
    • The with statement modifies the scope chain, making static analysis impossible.
  • Dangerous methods and properties: arguments callee caller constructor eval prototype stack unwatch valueOf watch
    • Capability leakage can occur with these names in at least some browsers, so use of these names with .notation is prohibited.
  • Names starting or ending with _.
    • Some browsers have dangerous properties or methods that have a dangling _.
  • [ ] subscript operator except when the subscript is a numeric literal or string literal or an expression that must produce a number value. So expressions like a[i] are disallowed because we cannot statically determine that i is not one of the dangerous property names. But a[+i] is allowed, because +i will always produce a number.
    • Lookup of dynamic properties could provide access to the restricted members. Use the ADSAFE.get and ADSAFE.set methods instead.
  • Date and Math.random
    • Access to these sources of non-determinism is restricted in order to make it easier to determine how widgets behave.

The good features of the language, including most of the methods of the standard types, are available to guest code. ADsafe provides in place of the excluded features an ADSAFE object that contains methods that restore the functionality in a safe way. For example, ADSAFE.get(object, key) and ADSAFE.set(object, key, value) take the place of the subscript operator.

Restrictions

All files and components must be encoded in UTF-8 and be properly identified as such.

Untrusted code will be able to indirectly call the window.onerror handler. The handler must be coded such that being called by untrusted code will cause no breach.

None of the prototypes of the built-in types may be augmented with methods that can breach ADsafe‘s containment.

All of the HTML id attributes defined on the page must be unique.

The ADSAFE Object

The ADSAFE object provides the base capabilities to the widget. The methods in the ADSAFE object are run-only; they cannot be copied or replaced.

Name Description
create(object) Create a new empty object that inherits from object.
get(object, name) Get the value of the object‘s name property.
go(id, function) Start the widget. The id string must match the id of the widget’s div.
has(object, name) true if the object has an own property with that name.
id(id) Identify the widget. The id string must match the id of the widget’s div.
isArray(value) Returns true if the value is an array.
keys(object) Produce an array of keys from the own enumerable properties of an object.
later(function, milliseconds) Call a function in the future.
lib(name, function) Register an ADsafe library.
log(string) Post the string to the browser’s log. On some browsers it is necessary to start the debugger and select the console tab to see the log. This method is a debugging convenience.
remove(object, name) Remove a property from the object.
set(object, name, value) Set a property’s value on the object.

Our most popular topics on Adsafe.org