Web browsers are computer programs that run on a user's data processing apparatus and provide access to information on the World Wide Web—submitting requests using the HyperText Transfer Protocol (HTTP) to Web server computers to retrieve Web pages and to browse or interact with Web page contents. Some Web browsers and similar HTTP clients can interpret script languages. Typically JavaScript™ (JAVASCRIPT is a registered trademark of Sun Microsystems in the United States and other countries) is used, although VBScript (Visual Basic Scripting Edition) is understood by some Web browsers and the mechanism is extensible to other languages. By including scripting-language instructions in the text of a page, authors can cause it, when viewed with a suitably-capable browser, to exhibit arbitrarily complex behavior as well as, or instead of, appearing as a static document. Such instructions may be included directly, or included by reference to a separate file in which the instructions are contained.
Embedded scripting instructions in a Web page are interpreted by a subsystem or “scripting engine” within the browser. This engine is itself written in a programming language, typically a more structured language such as C++ or Java™ (JAVA is a registered trademark of Sun Microsystems in the United States and other countries). The engine is capable of performing a number of operations; each scripting language instruction is literally an instruction to the engine to perform a specific one of its available operations.
The scripting engine also has access to the data structures that represent the Web page itself within the browser. Certain of the operations that can be performed by the engine involve reading from or writing to these data structures, effectively editing the page as viewed in the browser. Other sources of data that can be used in scripting operations include script variables, which can be set with an initial value or filled from any other source, and other data downloaded separately using a technique known as “XMLHttpRequest”.
As well as manipulating information strictly within the scripting engine, and exchanging information with the internal representation of a Web page, there exists a class of script instructions that cause the browser to interact with other systems via its network connection, or perform other actions normally commanded by a human user. The choice of instructions available in this set is typically limited in order to reduce the effect that a malicious script can have.
It is important to note that because scripts arrive as part of a Web page, and because scripts themselves may contain information which may later be inserted into a page, scripts themselves are a form of data and all considerations of “data elements” in this invention will apply equally to the list of instructions that make up a script.
As an example of how the above facilities may be used, consider a Web-based document-editing application delivered in the form of a Web page using AJAX (Asynchronous JavaScript and Extensible Markup Language-XML) technology. A graphical Web browser initially downloads a page carrying the various display elements (such as rulers, buttons, and an area for editing text) and also referring to a file of scripting instructions. These instructions direct the scripting engine in how to respond to the user's actions. If the user were to activate the “bold” button, for instance, the scripting engine might be instructed to first read the page in order to determine which words in the text area the user has selected. This information would be used by another instruction that modifies the page data structures in such a way as to mark that text as bold. Finally, another part of the browser known as the “rendering engine” would read those marks, and as a result would cause the marked words to appear in bold-face on the page.
Scriptable HTTP clients, such as Web Browsers that support JavaScript, have traditionally loaded data from only one source location at a time. However, it is desirable in a Web services environment to be able to combine scripts and data from several source locations in one scripting environment. Returning to the example of a Web-based document editing application, it is currently necessary for users to expose and entrust their documents to the providers of the application, for example by uploading documents to the provider's server.
Although large numbers of application programs are currently being made available via the World Wide Web in the form of Web services that exploit scripts running within a Web browser and communicate with Web servers, many organizations and individuals are unwilling to accept the inherent exposure of their confidential documents. This limits use of the available applications.
It would be possible for applications of this kind, written in a scripting language within the client, to be run on data obtained from one or more different locations. However, once the scripts and data are loaded into the scripting environment, there is currently no suitable mechanism for ensuring that the scripts do not transmit the data back to their own servers, either maliciously or in the course of providing a function such as spell checking. The known solutions involve preventing unauthorized scripts from accessing certain files and objects, but this can be overly restrictive.
For example, U.S. Pat. No. 6,986,062 describes controlling the ability of scripts to access objects based on the origin of the scripts and defined permissions. Entries in a client's access control data structure include a source identifier field and a permission identifier field associated with an object—the origin of the script is recorded and subsequently checked, and unauthorized scripts are prevented from accessing certain objects.
U.S. Pat. No. 6,505,300 describes restricting execution context for untrusted content such as scripts. When a process attempts to access a resource, a token associated with the process is compared against security information for the resource to determine whether that access is allowed. The source of a script may determine how trusted it is and what processes can be performed on particular resources.
US Patent Application No. 2006/0230452 discloses obtaining a file from an external location and adding tagging information regarding the origin of the obtained file. The origin of the obtained file can be used for subsequent security policy decisions, such as whether to allow or block execution or rendering of the content.