Beast in the Cage: A Fine-grained and Object-oriented Permission System to Confine JavaScript Operations on the Web

JavaScript plays a crucial role on web. However, the inclusion of unknown, vulnerable, and malicious scripts on websites and in browser extensions and the use of browsers' developer tools often lead to undesired web content manipulations and data acquisitions. To restrict JavaScript operations on web content and data, we introduce a fine-grained, mandatory access control-based, and object-oriented permission system to browsers. With our system, web developers can define policies for sensitive web elements on their web pages to allow or deny scripts' operations on web content and data within browsers. The system substantially thwarts many web threats and attacks, and offers benefits to personal data governance. We developed a tool for automatic policy generation and demonstrated the usability and compatibility of the system in a three-month study. Our system is a reasonable and practical solution, bolstering the security and trustworthiness on the internet.