Although JavaScript is an important part of Web 2.0, it has historically been a major source of security holes. Code from malicious advertisers and cross-site-scripting (XSS) attacks are particularly pervasive problems. In this paper, we explore dynamic information flow to prevent the loss of confidential information from malicious JavaScript code. In particular, we extend prior dynamic information flow techniques to deal with the many complexities of JavaScript, including mutable and extensible objects and arrays, dynamic prototype chains for field and method inheritance, functions with implicit this arguments that are also used as methods and constructors, etc. We formally verify that our extended dynamic analysis provides termination-insensitive non-interference.