Web sites that incorporate untrusted content may use browser-or
language-based methods to keep such content from maliciously altering
pages, stealing sensitive information, or causing other harm. We use
accepted methods from the study of programming languages to
investigate language-based methods for filtering and rewriting
JavaScript code, using Facebook's FBJS as a motivating example.
We explain the core problems by describing previously unknown
vulnerabilities and shortcomings, provide JavaScript code that
enforces provable isolation properties at run-time, and develop a
foundation for improved solutions based on an operational semantics of the full ECMA262 language. We also compare our results with the
techniques used in FBJS.