COWL Project Promises to Better Secure JavaScript Applications

Modern Web applications by definition are an amalgamation of JavaScript code typically mashed together to create something greater than the sum of its parts. The challenge is that every developer has to trust that the sensitive data won’t inadvertently leak out. To address that issue, Chalmers University of Technology, Stanford University, the University College of London, Google and Mozilla Research are working on a project that promises to give JavaScript developers a method for limiting both access to and usage of untrusted code.

Alejandro Russo, visiting associate professor at Stanford, says the Confinement with Origin Web Labels (COWL) project will bring label-based mandatory access control to browsing in a way that is fully backward-compatible with legacy Web content. COWL enables both the secure inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple sources, he says.

Written in JavaScript, developers can use COWL to impose restrictions on how their data is used even after it's shared with others, Russo says. Once code has read data deemed to be sensitive data, COWL confines the code by revoking its right to communicate with unauthorized parties.

In effect, Russo says COWL allows developers to finally apply governance polices directly to code. Rather than trying to apply those polices on static data, COWL enables developers to apply policies hand in glove at the time code is executing in a way that doesn’t wind up compromising Web application performance. The result is not only better protection of end-user data, but also a more secure Web, says Russo.

Developers have long wrestled with the desire to have as much flexibility as possible in terms of mashing up data and the need to secure that data, he says. Maintaining flexibility has led to massive amounts of innovation. But at the same time, concerns about privacy and security are starting to undermine end-user confidence in Web applications.

COWL works with Mozilla’s Firefox and the open source version of Google’s Chrome Web browsers. It may take awhile for COWL to be universally adopted. But with support from Google and Mozilla, it would appear that COWL is being seriously considered as a mechanism to secure data and content regardless of how they are being accessed.

Of course, other providers of browsers would have to accept COWL to make it broadly applicable across the Web. But that fact that vendors are collaborating with academia to finally address privacy and security issues would suggest some progress is being made.

Be sure to read the next Security article: Feedzai Launches Developer Portal to Expose Fraud API