Location-Based Service

This scenario demonstrates declassification of a client-side secret, in this case the user’s position. Third parties and the application server may only receive declassified obfuscated coordinates. Our implementation performs declassification by defining a function that adds a random offset to a float value. This function is applied to the confidential latitude and longitude values. The exact location coordinates are isolated in the browser in the same way as the password in the previous scenario. We provide two variants of the location-based service to showcase two different attacker models. The first example embeds a map via an IFrame, where the position is an argument to the source attribute of the IFrame. The following snippet shows how the use of declassified coordinates is permitted, while exact coordinates are blocked:

let iframeSrc = Src // Allowed: Obfuscated coordinate.

"https://maps.example.com/?q=" +

(string (randomize Lat)) + "," + (string (randomize Lon))

let iframeSrc’ = Src // Blocked: Exact coordinate.

"https://maps.example.com/?q=" +

(string Lat) + "," + (string Lon)

The second example includes third-party library called via F#. We use the Google Maps extension for WebSharper and wrap the initialization and panning of the map within the policy, both having low side-effects and low values. Since the extension wraps the original JavaScript code, we have to fully trust the F#-to-JavaScript extension and JavaScript code implementing the WebSharper APIs. The scenario consists of 76 F# and 6279 generated Javascript LOCs.