COWL Puts A Firewall Between Your Data And Untrusted Web Code

Although some companies are doing their best to improve the situation, the web is still far from a safe place. A few years ago, some browsers, like Chrome, started offering a sandbox system to contain different web pages and not allow one hijacked page to attack another.

This has led to Chrome scoring among the highest when it comes to browser security in hacking contests such as Pwn2Own. However, this type of sandboxing has mostly been focused on completely separate tabs compromising each other, but it doesn't help to protect a user's data from untrusted code being used inside a trusted website. 

The problem of offering users privacy while also offering developers flexibility for their web applications has been described as "one of the central challenges in computer systems security research," according to UCL professor Brad Karp.

Fortunately, there is now a solution named COWL, or Confinement with Origin Web Labels. COWL has been developed by researchers from University College London, Stanford, Chalmers, Google and Mozilla.

Professor Karp described it as follows:

"The new system provides a property known as ‘confinement’ which has been known since the 1970s, but proven difficult to achieve in practical systems like web browsers. COWL confines JavaScript programs that run within the browser, such as in separate tabs. If a JavaScript program embedded within one web site reads information provided by another web site – legitimately or otherwise – COWL permits the data to be shared, but thereafter restricts the application receiving the information from communicating it to unauthorized parties. As a result, the site that shares data maintains control over it, even after sharing the information within the browser."

Developers will need to use something called "labels" to compartmentalize code within a page, ensuring that the user's sensitive data isn't leaked. Even when third-party code, such as a library, accesses the user's data, it won't have network access to unapproved websites. Right now the two options for a developer are either to not use certain third-party functionality, or risk having third-party code steal data from the users.

The researchers gave the example of a third-party web app that could monitor an Amazon user's purchases in order to verify if he or she is being overcharged, without the web app having to know his or her Amazon credentials:

“For example, one useful web application would let users check they're not being overcharged for items they've ordered from Amazon. The app would have to pull in information from the user's bank statement and Amazon, reconcile the two, and present the result in the browser. To do this, a web developer would need to write code that integrated data from the bank's web site with data from Amazon’s web site but the SOP would block this, as the two data sources are hosted by different web domain names. Today's web developers get around this by writing an app that asks the user for their bank and Amazon login credentials, so it can log into both services and collect information as if it is the user. This clearly compromises the user’s privacy as the provider of the app gains full access to the user’s online banking system and Amazon account."

The researchers working on COWL believe that this system provides a win-win situation for both users and developers. The users benefit from increased privacy and lower risk from potentially having their account credentials stolen, while developers can enable more feature-rich web applications without putting their users' data at risk.

COWL will be available for download on October 15 on, and it should be available in Chrome and Firefox in a few months' time, once their respective teams have completely validated the code.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.