People's Newsroom


The client-side execution context controls the dynamic behavior of a Web application within the browser. The execution context runs the application’s JavaScript code, which has access to the page’s HTML tree and contents through the Document Object Model (DOM), as well as to the browser-provided features and APIs, which enable navigation of the page, remote communication, interacting with the client device, and storing information at the client-side. A client-side execution context has a specific origin, known as the triple (scheme, host, port), which is derived from the URI of the page associated with the execution context.

As the Web matured, technologies like frames, tabs, and pop-up windows permitted the simultaneous execution of several Web applications in their respective client-side execution contexts. These contexts can to some degree communicate with one another within the browser, as well as with remote servers. The browser’s core security policy, the Same-Origin Policy (SOP), enforces restrictions on this communication, to prevent execution contexts with different origins from directly influencing one another. The SOP introduces a basic security boundary that prevents a resource from accessing another resource’s context unless its origins match. As a result, different Web applications can coexist in the same Web browser with a basic isolation and confidentiality guarantee against one another. With the introduction of additional browser features, these restrictions imposed by the Same-Origin Policy have become even more important. For example, the modern client-side storage APIs use origin-specific storage containers, restricting access to the specific content associated with the requesting script’s context. Similarly, several APIs require explicit user permission before exposing sensitive data or features towards the execution context, and these permissions are associated with the requesting context’s origin. Examples are sharing the device’s location and capturing audio or video.

While the SOP effectively separates execution contexts from different origins from one another, there is no separation mechanism that supports the isolation of a specific piece of code within an execution context. The main use case for such code isolation is the inclusion of remote JavaScript files, used by almost every modern Web application to include libraries, advertisements, or analytics code. As this third-party code is integrated into the host page’s execution context without any boundaries, the third-party code gains access to all the features associated with the host page’s origin. This effectively imposes a strong trust relationship between the host origin and the third-party provider, which is easily violated through malicious behavior, or by an attacker that compromises the third-party provider.

Back to top button