SecureDart: Trusting Client-side Code

Modern web sites make extensive use of client-side code, but this code runs on untrusted machines and thus the server-side code must validate all client-side requests. Errors in code that validates requests open the server to attacks by adversaries that send malicious requests. SecureDart extends the Dart language and runtime to support writing trustable client-side code. Requests from trusted client-side code contain a certificate that the server uses to validate the request’s authenticity.We have implemented SecureDart as an extension to the Dart compiler. We have evaluated SecureDart on web application benchmarks and were able to secure the applications against client-side attacks with minimal overhead.