ZAC: Access Control in JavaScript
This is a demo of ZAC, our access control library for JavaScript. Below there are three versions of the same page. The only difference is the policy for access control:
- Full permissions. The script can do whatever they want.
- Partial permissions. The script only can: access global object properties, call alert, and access cookies.
- No permissions. The script cannot perform any dangerous actions.
Note: In the "No permissions" case, the ZAC.R_GLOBAL restriction is
removed to permit a more visible enforcement of policies. Otherwise, all actions would fail with a
"Cannot access global object properties".
The exceptions thrown by ZAC can be observed in the "Error Console" of Firefox, or in the console of
Firebug if installed.
The script included in these pages, that performs some dangerous actions, can be found here. The ZAC library can be found here.