1 function createCookie (a, e, b) {
2 if (b ) { var d = new Date ; ...... } else b = "" ;
3 docume nt .cookie = a + "\x3d" + e + b + "; path\ x3d /"
4 }
1 function createCookie (b, c, a) {
2 if (a ) { var d = new Date ; ...... } else a = "" ;
3 - 1 < google_tag_manager [" GTM -KBNVHH"]. macro (134) .indexOf ("
zoho .eu ") ?
4 docume nt .cookie = b + "\x3d" + c + a + "; domain \ x3d.zoho.eu ;
path \ x3d/" : ...... ;
5 }
Listing 1: Conicting denitions of createCookie() in dierent scripts
on https://www.zoho.com.
from the rest websites. We leave it as a future work to improve
our implementation. Except for those that were extremely large
(with over 1 million records), we were able to analyze 947 (98.96%)
assignment log les and 957 (100.00%) function denition les.
In summary, we found 47 variable value conicts on 25 websites,
728 function denition conicts on 85 websites, and 3 variable type
conicts on 2 websites. Note that if a conict was caused by the
same script, we do not report here.
Interestingly, we found 46 cookie-related functions were over-
written by at least one script. One example was detected on website
https://www.zoho.com, where 5 inline scripts all dened a global
function
createCookie()
. The denitions from dierent scripts are
slightly dierent, as shown in Listing 1.
Similarly, we discovered multiple denitions of function
getCookie
()
on https://zoom.us/. This shows that a JavaScript global name
conict could expose a victim user to security risks. For example, a
malicious third-party can manipulate
getCookie()
to force a user
to use the attacker’s session in the client-side code and trick the
application code into processing the attacker’s Cookie.
4 DISCUSSION AND FUTURE WORK
We now discuss the limitations of our current work and our future
work.
Incomplete Support of Objects.
An alternative way to dene
an object property is to initialize it through the identier
this
within the constructor or a method of an object. For example,
t = new Obj(. . .) {this.p = e
;
}
. In order to determine the object
that
this
refers to, we need to know the receiver object of the
methods. We plan to support it in our future work.
Function Denition Conicts.
Except for directly declaring a
global function, a script can also assign a function literal to a global
identier, e.g.,
f = f unction(){.. . }
. This could result in a function
denition conict or a type conict. To detect this kind of conicts,
we need to also cross check the function denition logs and variable
write logs. We will include this analysis in our future work.
Characterization of Conicts.
Our categorization of the de-
tected conicts is not sucient for comprehensively investigating
the problem of JavaScript global name conicts. For example, it
would be interesting to analyze the conicts of third-party scripts
overwriting rst-party dened names. We aim to perform a com-
prehensive analysis of the conicts in the future.
5 RELATED WORK
JavaScript Conict Analysis.
Patra et al. proposed ConictJS, an
automated approach to analyzing the conicts between JavaScript
libraries using synthetic clients [
5
]. They considered simple oper-
ations like direct variable write and property write, and studied
limited number of JavaScript libraries. In [
8
], the authors proposed
a dynamic JavaScript analysis framework that is based on selective
record-replay technique. Therefore, the tool is not able to cover
dynamically loaded code. In contrast, our dynamic analysis frame-
work is able to detect the conicts between scripts that are even
dynamically loaded.
JavaScript Type Inference.
Pradel et al. proposed TypeDevil
to detect type inconsistency in JavaScript [
6
]. Jensen et al. de-
ned a type analysis for JavaScript based on abstract interpreta-
tion [
3
]. Hackett et al. presented a hybrid type inference approach
for JavaScript based on points-to analysis in [
1
]. These works fo-
cus on inferring JavaScript type information within a single script.
Meanwhile, there have been several learning-based approaches to
predicting the type for JavaScript code [
2
,
4
,
7
]. They aimed to stati-
cally infer about a variable type and therefore enable the generation
of much faster code, which is orthogonal to our work. In our work,
we leverage the JavaScript built-in type checker to infer the type of
a variable at run time.
6 CONCLUSION
We developed a browser-based dynamic analysis framework to
study JavaScript global name conict problem on the Web. We
collected data from the Alexa top 1K websites. In total, we detected
47 variable value conicts on 25 websites, 728 function denition
conicts on 85 websites, and 3 variable type conicts on 2 websites.
We further investigated the detected conicts and demonstrated
that the global identier conicts may lead to security issues.
ACKNOWLEDGMENT
The work described in this paper was partly supported by a grant
from the Research Grants Council of the Hong Kong Special Ad-
ministrative Region, China (CUHK 24209418).
REFERENCES
[1]
Brian Hackett and Shu-yu Guo. 2012. Fast and precise hybrid type inference for
JavaScript. ACM SIGPLAN Notices 47, 6 (2012), 239–250.
[2]
Vincent J Hellendoorn, Christian Bird, Earl T Barr, and Miltiadis Allamanis. 2018.
Deep learning type inference. In Proceedings of the 26th ACM Joint European
Software Engineering Conference and Symposium on the Foundations of Software
Engineering (ESEC/FSE). Lake Buena Vista, FL.
[3]
Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type analysis
for JavaScript. In International Static Analysis Symposium. Springer, 238–255.
[4]
Rabee Sohail Malik, Jibesh Patra, and Michael Pradel. 2019. NL2Type: inferring
JavaScript function types from natural language information. In Proceedings of the
41st International Conference on Software Engineering (ICSE). Montréal, Canada.
[5]
Jibesh Patra, Pooja N Dixit, and Michael Pradel. 2018. Conictjs: nding and
understanding conicts between javascript libraries. In Proceedings of the 40th
International Conference on Software Engineering (ICSE). Gothenburg, Sweden.
[6]
Michael Pradel, Parker Schuh, and Koushik Sen. 2015. TypeDevil: Dynamic type
inconsistency analysis for JavaScript. In Proceedings of the 37th International
Conference on Software Engineering (ICSE). Florence, Italy.
[7]
Veselin Raychev, Martin Vechev, and Andreas Krause. 2015. Predicting program
properties from big code. In ACM SIGPLAN Notices, Vol. 50. ACM, 111–124.
[8]
Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013.
Jalangi: a selective record-replay and dynamic analysis framework for JavaScript.
In Proceedings of the 18th European Software Engineering Conference (ESEC) / 21st
ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). Saint
Petersburg, Russia.
[9] W3C. [n.d.]. Content Security Policy Level 3. https://www.w3.org/TR/CSP3/.
[10]
Ming Ying and Shu Qin Li. 2016. CSP adoption: current status and future prospects.
Security and Communication Networks 9, 17 (2016), 4557–4573.