Understanding and Monitoring Embedded Web Scripts

Modern web applications make frequent use of third-party scripts, often in ways that allow scripts loaded from external servers to make unrestricted changes to the embedding page and access citical resources including private user information.


ScriptInspector assists site administrators in understanding, monitoring, and restricting the behavior of third-party scripts embedded in their site. ScriptInspector is a modified browser that can intercept, record, and check third-party script accesses to critical resources against security policies.

ScriptInspector includes a Visualizer tool that allows users to conveniently view recorded script behaviors and candidate policies and a PolicyGenerator tool that aids script providers and site administrators in writing policies. Site administrators can manually refine these policies with minimal effort to produce policies that effectively and robustly limit the behavior of embedded scripts.


Yuchen Zhou and David Evans. Understanding and Monitoring Embedded Web Scripts. 36th IEEE Symposium on Security and Privacy (“Oakland”). San Jose, CA. 18-20 May 2015.

Full paper (16 pages): [PDF]

Source Code

Includes code for the ScriptInspector, Visualizer, and PolicyGenerator.


Browse Policies (or download a .zip file with all policies)
Spreadsheet with list of URLs and full policy data (.xlsx)


Yuchen Zhou (University of Virginia; now at Palo Alto Networks)
David Evans (University of Virginia)