Skip to main content
Dynamic Information Flow Analysis for Featherweight JavaScript
Technical Report UCSC-SOE-11-19 (2011)
  • Thomas H. Austin, University of California, Santa Cruz
  • Tim Disney, University of California, Santa Cruz
  • Cormac Flanagan, University of California, Santa Cruz
  • Alan Jeffrey
Although JavaScript is an important part of Web 2.0, it has historically been a major source of security holes. Code from malicious advertisers and cross-site-scripting (XSS) attacks are particularly pervasive problems. In this paper, we explore dynamic information flow to prevent the loss of confidential information from malicious JavaScript code. In particular, we extend prior dynamic information flow techniques to deal with the many complexities of JavaScript, including mutable and extensible objects and arrays, dynamic prototype chains for field and method inheritance, functions with implicit this arguments that are also used as methods and constructors, etc. We formally verify that our extended dynamic analysis provides termination-insensitive non-interference.
  • Dynamic information,
  • flow analysis,
  • JavaScript,
  • Cross-site-Scripting,
  • Termination,
  • malicious advertisers
Publication Date
September 22, 2011
Publisher Statement
SJSU users: use the following link to login and access the article via SJSU databases
Citation Information
Thomas H. Austin, Tim Disney, Cormac Flanagan and Alan Jeffrey. "Dynamic Information Flow Analysis for Featherweight JavaScript" Technical Report UCSC-SOE-11-19 (2011)
Available at: