一种Web应用中轻量级的JavaScript API保护机制  被引量：2

作　　者：刘树凯[1,2] 颜学雄 王清贤[1,2] 赵旭 柴川森[1,2] LIU Shukai;AN Xuexiong;ANG Qingxian;HAO Xu;CHAI Chuansen(ormation Engineering University;Zhengzhou 450001,Chin;2.tate Key Laboratory of Mathematical Engineering and Advanced Computin;Zhengzhou 450001,China)

机构地区：[1]信息工程大学,河南郑州450001 [2]数学工程与先进计算国家重点实验室,河南郑州450001

出　　处：《信息工程大学学报》2018年第2期220-225,共6页Journal of Information Engineering University

基　　金：国家863计划资助项目(2012AA012902)

摘　　要：随着Java Script API的功能日益强大,对Java Script API保护机制的缺失,导致Web应用面临严重的安全风险。提出一种轻量级的Web页面Java Script API的保护机制PMJA,证明由PMJA保护的Java Script API不被攻击者恶意利用。PMJA定义浏览器为Web页面提供安全风险的Java Script API,允许开发者细粒度的配置每个页面可访问有安全风险的Java Script API。策略语言简单易用,开发者可自动为Web页面设计策略,使用PMJA对Web页面渲染效率的影响较小。实验结果表明,使用PMJA页面的渲染时间增加0.7%~5.1%,平均不足2.8%。由于在Web页面中嵌入一段Java Script代码即可实现,PMJA直接部署到现有的Web应用中。With the increasingly powerful Java Script APIs such as HTML5 APIs,the lack of access control for Java Script APIs results in serious security risks faced by web applications. In this paper,a new access control for Java Script APIs in web pages named PMJA for short is proposed. It is proved that PMJA only enhances the security of web application because no new functionality is introduced and that the Java Script APIs protected by PMJA cannot be used by malicious attackers. PMJA defines the Java Script APIs provided by web browsers which are facing with serious security risks,and allows developers to flexibly assign accessible Java Script API of each web page. The policy language of PMJA is simple to use and developers can automatically design PMJA policies for the web pages. Furthermore,using PMJA in the web page has little impact on the efficiency of rendering,and the experimental results show that the rendering time increases from 0. 7% to 5. 1% and is no more than2. 8% on average. PMJA can be implemented by embedding a piece of Java Script code to the web page so that it can be directly deployed to existing or future web applications.

关 键 词：WEB应用 内容安全策略 跨站脚本 JAVASCRIPT API 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]