罗武  等:浏览器同源策略安全研究综述                                                             2501


                 [42]    Vastel A, Laperdrix P, Rudametkin W, et al. FP-scanner: The privacy implications of browser fingerprint inconsistencies. In: Proc.
                      of the 2018 USENIX Security Symp. (USENIX Security 2018). 2018. 135−150.
                 [43]    Patra J, Dixit PN, Pradel M. Conflictjs: Finding and understanding conflicts between JavaScript libraries. In: Proc. of the 2018
                      Int’l Conf. on Software Engineering. (ICSE 2018). 2018. 741−751. [doi: 10.1145/3180155.3180184]
                 [44]    Tran T,  Pelizzi R,  Sekar R.  Jate: Transparent and efficient JavaScript confinement.  In: Proc.  of  the  2015 Annual Computer
                      Security Applications Conf. (ACSAC 2015). 2015. 151−160. [doi: 10.1145/2818000.2818019]
                 [45]    Agten P, VanAcker S, Brondsema Y, et  al. JSand: Complete client-side sandboxing of third-party JavaScript without browser
                      modifications. In: Proc. of the 2012 Annual Computer Security Applications Conf. (ACSAC 2012). 2012. 1−10. [doi: 10.1145/242
                      0950.2420952]
                 [46]    Musch M, Steffens M, Roth S, et al. ScriptProtect: Mitigating unsafe third-party JavaScript practices. In: Proc. of the 2019 ACM
                      Asia Conf. on Computer and Communications Security (Asia CCS 2019). 2019. 391−402. [doi: 10.1145/3321705.3329841]
                 [47]    Reis C, Dunagan J, Wang HJ,  et  al.  BrowserShield:  Vulnerability-driven filtering of dynamic  HTML. In:  Proc. of the 7th
                      USENIX Symp. on Operating Systems Design and Implementation. 2006. [doi: 10.1145/1281480.1281481]
                 [48]    Miller MS, Samuel M, Laurie B, et al. Safe active content in sanitized JavaScript. Google Inc., Technical Report, 2008.
                 [49]    Guarnieri S, Livshits VB. GATEKEEPER: Mostly static enforcement of security and reliability policies for JavaScript code. In:
                      Proc. of the 2009 USENIX Security Symp. (USENIX Security 2009). 2009. 78−85.
                 [50]    Ter Louw M, Ganesh KT, Venkatakrishnan VN. AdJail: Practical enforcement of confidentiality and integrity policies on Web
                      advertisements. In: Proc. of the 2010 USENIX Security Symp. (USENIX Security 2010). 2010. 371−388.
                 [51]    Mickens J. Pivot: Fast, synchronous mashup isolation using generator chains. In: Proc. of the 2014 IEEE Symp. on Security and
                      Privacy (SP 2014). 2014. 261−275. [doi: 10.1109/SP.2014.24]
                 [52]    Luo Z, Rezk T. Mashic compiler: Mashup sandboxing based on inter-frame communication. In: Proc. of the 2012 IEEE Computer
                      Security Foundations Symp. (CSF 2012). 2012. 157−170. [doi: 10.1109/CSF.2012.22]
                 [53]    Wang HJ, Fan X, Howell J, et al. Protection and communication abstractions for Web browsers in MashupOS. ACM SIGOPS
                      Operating Systems Review, 2007. 1−16. [doi: 10.1145/1323293.1294263]
                 [54]    Dong X, Tran M, Liang Z, et al. AdSentry: Comprehensive and flexible confinement of JavaScript-based advertisements. In: Proc.
                      of the 2011 Annual Computer Security Applications Conf. (ACSAC 2011). 2011. 297−306. [doi: 10.1145/2076732.2076774]
                 [55]    Meyerovich LA, Livshits B. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In:
                      Proc. of the 2010 IEEE Symp. on Security and Privacy (SP 2010). 2010. 481−496. [doi: 10.1109/SP.2010.36]
                 [56]    Van Acker S, De Ryck P, Desmet L, et al. WebJail: Least-privilege integration of third-party components in Web mashups. In:
                      Proc. of the 2011 Annual Computer Security Applications Conf. (ACSAC 2011). 2011. 307−316. [doi: 10.1145/2076732.20767
                      75]
                 [57]    MDN Web Docs. Window.postMessage  Java  Script API.  2019. https://developer.mozilla.org/en-US/docs/Web/API/Window/
                      postMessage
                 [58]    Moshchuk A, Wang HJ, Liu Y. Content-based isolation: Rethinking isolation policy design on client systems. In: Proc. of the
                      2013 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2013). 2013. 1167−1180. [doi: 10.1145/2508859.25
                      16722]
                 [59]    Barth A, Jackson C, Mitchell JC. Securing frame communication in browsers. Communications of the ACM, 2009,52(6):83−91.
                 [60]    Stefan D, Yang EZ, Marchenko P, et al. Protecting users by confining JavaScript with COWL. In: Proc. of the 2014 USENIX
                      Symp. on Operating Systems Design and Implementation (OSDI 2014). 2014. 131−146.
                 [61]    Stefan D, Alkhelaifi A. W3C draft for COWL. 2017. https://w3c.github.io/webappsec-cowl/
                 [62]    Jayaraman K, Du W, Rajagopalan B, et al. Escudo: A fine-grained protection model for Web browsers. In: Proc. of the 2010 IEEE
                      Int’l Conf. on Distributed Computing Systems. (ICDCS 2010). 2010. 231−240. [doi: 10.1109/ICDCS.2010.71]
                 [63]    Luo T, Du  W. Contego: Capability-based access control for  Web browsers.  In:  Proc.  of the  2011 Int’l Conf.  on  Trust  and
                      Trustworthy Computing (Trust 2011). 2011. 231−238. [doi: 10.1007/978-3-642-21599-5_17]
                 [64]    Steven SI,  Bellovin SM.  Building  a secure Web browser. In: Proc. of the 2001  USENIX  Conf. on  Annual  Technical  Conf.
                      FREENIX Track (ATC 2001). 2001. 127−134.