A new privacy system developed by Google, Mozilla and researchers from University College London, Stanford Engineering and Chalmers aims to address an increasingly prevalent online security risk caused by websites that draw content from numerous sources.
Confinement with Origin Web Labels, or COWL for short, stops malicious code in a website from doing malicious things but without stopping a website from being able to display content from numerous websites as part of its service.
Pulling in elements from other sources in order to offer specific features is a key feature of a growing number of modern websites. It’s how price comparison or aggregation sites work for example — pulling in data from a host of sources and then displaying them in the browser.
The problem is that automatically grabbing code form a host of different sources can run the risk of grabbing some potentially suspicious JavaScript too, the sort of code that can grab and share a user’s information with a third-party site.
Even with the best will in the world, developers aren’t capable of sifting through every line of code in every site where elements of their own site could be drawn. Adding to the risk is the fact that most developers use JavaScript that has already been written — 77 percent of the world’s top 10,000 websites incorporate a JavaScript library written by a third party.
“COWL confines JavaScript programs that run within the browser, such as in separate tabs. If a JavaScript program embedded within one web site reads information provided by another web site — legitimately or otherwise — COWL permits the data to be shared, but thereafter restricts the application receiving the information from communicating it to unauthorized parties. As a result, the site that shares data maintains control over it, even after sharing the information within the browser,” said University College London Professor Brad Karp.
COWL will be given to developers, for free, later this month so that they can incorporate it into the websites and automatically offer visitors an extra layer of online security.
Deian Stefan, lead PhD student on the project at Stanford, said: “What we’ve achieved in COWL is a system that lets web developers build feature-rich applications that combine data from different web sites without requiring that users share their login details directly with third-party web applications, all while ensuring that the user’s sensitive data seen by such an application doesn’t leave the browser. Both web developers and users win.”