@conference {300601, title = {Jigsaw: Efficient, Low-effort Mashup Isolation}, booktitle = {USENIX WebApps}, year = {2012}, address = {Boston, MA}, abstract = {A web application often includes content from a variety\ of origins. Securing such a mashup application\ is challenging because origins often distrust each other\ and wish to expose narrow interfaces to their private\ code and data. Jigsaw is a new framework for isolating\ these mashup components. Jigsaw is an extension of\ the JavaScript language that can be run inside standard\ browsers using a Jigsaw-to-JavaScript compiler. Unlike\ prior isolation schemes that require developers to\ specify complex, error-prone policies, Jigsaw leverages\ the well-understood public/private keywords from traditional\ object-oriented languages, making it easy for a domain\ to tag internal data as externally visible. Jigsaw\ provides strong iframe-like isolation, but unlike previous\ approaches that use actual iframes as isolation containers,\ Jigsaw allows mutually distrusting code to run\ inside the same frame; this allows scripts to share state\ using synchronous method calls instead of asynchronous\ message passing. Jigsaw also introduces a novel encapsulation\ mechanism called surrogates. Surrogates allow\ domains to safely exchange objects by reference instead\ of by value. This improves sharing efficiency by eliminating\ cross-origin marshaling overhead.}, url = {http://scholar.harvard.edu/files/mickens/files/jigsaw.pdf}, author = {James Mickens and Matthew Finifter} }