Document Type


Publication Date



Secure information flow (SIF) analysis can determine if web browser add-ons
may leak sensitive information to third parties. However, many reported
leaks are false positives, or only reveal a few bits of information. We
present a JavaScript SIF analysis tool with a web-based interface to
visualize its results. The analysis is a client of JSAI, a provably sound
JavaScript abstract interpreter. The web interface displays how information
flows between program statements. By classifying different types of
information flow, the tool helps users determine whether reported leaks are
serious, trivial, or spurious. This allows browser communities to review
add-ons more efficiently and soundly than the current manual process.