Gradual typing embedded securely in JavaScript

SwamyNikhil,; FournetCédric,; RastogiAseem,; BhargavanKarthikeyan,; ChenJuan,; StrubPierre-Yves,; BiermanGavin,

doi:10.1145/2578855.2535889

Cited by 19 publications

(18 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several strategies have been used to implement runtime type checking for gradually typed languages, and these strategies are appropriate for different target languages and design goals. The traditional approach in the research literature is to insert casts during translation at the site of every implicit conversion between typed and dynamic code [Allende et al 2013a;Siek and Taha 2006;Swamy et al 2014;Tobin-Hochstadt and Felleisen 2006]. At runtime, these casts ensure that values correspond to their expected static type.…”

Section: Strategies For Runtime Checksmentioning

confidence: 99%

“…Gradual typing enables programmers to gradually evolve their programs from the flexibility of dynamic typing to the security of static typing [Siek and Taha 2006;Tobin-Hochstadt and Felleisen 2006]. Over the last decade, gradual typing has been of great interest to both the research community [Ahmed et al 2011;Allende et al 2013a;Rastogi et al 2012;Ren et al 2013;Siek et al 2015b;Swamy et al 2014;Takikawa et al 2012], and to industry, which has introduced several languages with elements of gradual typing, such as TypeScript [Microsoft 2012], Flow [Facebook 2014], and Dart [Google 2011]. Many existing gradually typed languages operate by translating a surface language program into a dynamically typed language by erasing types.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Optimizing and evaluating transient gradual typing

Vitousek

Siek

Chaudhuri

2019

Proceedings of the 15th ACM SIGPLAN International Symposium on Dynamic Languages

View full text Add to dashboard Cite

Gradual typing enables programmers to combine static and dynamic typing in the same language. However, ensuring a sound interaction between the static and dynamic parts can incur significant runtime cost. In this paper, we perform a detailed performance analysis of the transient gradual typing approach implemented in Reticulated Python, a gradually typed variant of Python. The transient approach [Vitousek et al. 2017] inserts lightweight checks throughout a program rather than installing proxies on higher order values. We show that, when running Reticulated Python and the transient approach on CPython, performance decreases as programs evolve from dynamic to static types, up to a 6× slowdown compared to equivalent Python programs.To reduce this overhead, we design a static analysis and optimization that removes redundant runtime checks. The optimization employs a static type inference algorithm that solves traditional subtyping constraints and also a new kind of check constraint. We evaluate the resulting performance and find that for many programs, the efficiency of partially typed programs is close to their untyped counterparts, removing most of the slowdown of transient checks. Finally, we measure the efficiency of Reticulated Python programs when running on PyPy, a tracing JIT. We find that combining PyPy with our type inference algorithm reduces the overall overhead to zero.

show abstract

Section: Strategies For Runtime Checksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Optimizing and evaluating transient gradual typing

Vitousek

Siek

Chaudhuri

2019

Proceedings of the 15th ACM SIGPLAN International Symposium on Dynamic Languages

View full text Add to dashboard Cite

show abstract

“…Programmatically, one could prevent other scripts from modifying document.domain by making a script run first in a page [20]. The first script that runs on the page would be: A parent page can also indirectly disable origin relaxation in iframes by sandboxing them.…”

Section: Avoiding Csp Violationsmentioning

confidence: 99%

On the Content Security Policy Violations due to the Same-Origin Policy

Somé

Bielova

Rezk

2017

Proceedings of the 26th International Conference on World Wide Web

View full text Add to dashboard Cite

Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.Comment: 8 pages + references for the short version, extended to 19 pages for detailed appendice

show abstract

“…A number of other advanced type system features could be used to tackle the problem discussed in this paper. The Ur [2] language has a rich system for working with records; metaprogramming [6,19] and multi-stage programming [25] could be used to generate code for the provided types; and gradual typing [20,22] can add typing to existing dynamic languages. As far as we are aware, none of these systems have been used to provide the same level of integration with XML, CSV and JSON.…”

Section: Related and Future Workmentioning

confidence: 99%

Types from data: making structured data first-class citizens in F#

Petříček

Guerra

Syme

2016

Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Most modern applications interact with external services and access data in structured formats such as XML, JSON and CSV. Static type systems do not understand such formats, often making data access more cumbersome. Should we give up and leave the messy world of external data to dynamic typing and runtime checks? Of course, not! We present F# Data, a library that integrates external structured data into F#. As most real-world data does not come with an explicit schema, we develop a shape inference algorithm that infers a shape from representative sample documents. We then integrate the inferred shape into the F# type system using type providers. We formalize the process and prove a relative type soundness theorem.Our library significantly reduces the amount of data access code and it provides additional safety guarantees when contrasted with the widely used weakly typed techniques.

show abstract

Gradual typing embedded securely in JavaScript

Cited by 19 publications

References 21 publications

Optimizing and evaluating transient gradual typing

Optimizing and evaluating transient gradual typing

On the Content Security Policy Violations due to the Same-Origin Policy

Types from data: making structured data first-class citizens in F#

Contact Info

Product

Resources

About