Isolating malicious content scripts of browser extensions
by Kailas Patil
International Journal of Information Privacy, Security and Integrity (IJIPSI), Vol. 3, No. 1, 2017

Abstract: In recent years, browser extensions gain great popularity among users, as they significantly enhance functionality and improve the usability of web browsers. Browser extensions can have high privileges to access web page content, thus recent browsers, such as Chrome, controls their capabilities with permissions. However, permission control is not effective to control the behaviours of content scripts injected into web sessions. Once injected into victim web sessions, malicious content scripts can perform all sorts of actions in a web application without user's knowledge. Therefore, content scripts pose serious threats to the confidentiality and integrity of web application data. To address this problem, we propose a mechanism, SessionGuard, which isolates content scripts in an isolated environment, called the shadow DOM. With the shadow DOM, SessionGuard provides content scripts an encrypted view of web application data, and controls their access to the original DOM. We have developed a proof-of-concept prototype in the Google Chrome web browser with little effect on normal browsing experience. Our experiments with real-world browser extensions demonstrate the effectiveness of the SessionGuard in protecting the confidentiality and integrity of web application data against malicious content scripts.

Online publication date: Tue, 26-Sep-2017

The full text of this article is only available to individual subscribers or to users at subscribing institutions.

Existing subscribers:
Go to Inderscience Online Journals to access the Full Text of this article.

Pay per view:
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.

Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Information Privacy, Security and Integrity (IJIPSI):
Login with your Inderscience username and password:

    Username:        Password:         

Forgotten your password?

Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.

If you still need assistance, please email