Password Meter

We have included the password meter to demonstrate a policy with full client isolation, where the password is not allowed to leak from the browser at all. The policy declares password fields as sensitive sources. Leaks to third parties and to the application server are prevented by assigning low levels to the source attribute and to the arguments and side-effects of RPC functions, respectively. The scenario assumes that the server is untrusted, as it should not receive the password. A problem with this view is that the JavaScript code executed by the client is usually delivered by the same or another untrusted server. This means that the integrity of the client-side code after the security type check is not guaranteed. Such changes outside the normal build process are not subject to the security policy and can thus be abused to leak confidential data. Therefore we have to put trust in the integrity of the code delivered by the application server, which we summarize as partial trust. Alternatively, remote attestation methods such as code or certificate signatures can be used to remove this assumption. The following code snippets show a password check that is accepted by JSLINQ and two leaks via the source attribute that are correctly blocked.

let content = // Allowed: Secret only in browser.

if (containsLetters password)

then Text "Passed" else Text "Failed"

let content’ = // Blocked: Leak via source attribute.

Image [Src ("http://example.com/img.png?" + password)]

// Blocked: Leak via side-effects.

let content’’ = Src (if secret == "jSL!Nq42"

then "http://example.com/true.jpg"

else "http://example.com/false.jpg")

This application consists of 53 F# and 6215 generated

Javascript LOCs.