Accountable Javascript Code Delivery

Ilkan Esiyok, Pascal Berrang, Katriel Cohn-Gordon, Robert Kuennemann

Research output: Chapter in Book/Report/Conference proceedingConference contribution


The Internet is a major distribution platform for web applications, but there are no effective transparency and audit mechanisms in place for the web. Due to the ephemeral nature of web applications, a client visiting a website has no guarantee that the code it receives today is the same as yesterday, or the same as other visitors receive. Despite advances in web security, it is thus challenging to audit web applications before they are rendered in the browser. We propose Accountable JS, a browser extension and opt-in protocol for accountable delivery of active content on a web page. We prototype our protocol, formally model its security properties with the Tamarin Prover, and evaluate its compatibility and performance impact with case studies including WhatsApp Web, AdSense and Nimiq.

Accountability is beginning to be deployed at scale, with Meta’s recent announcement of Code Verify available to all 2 billion WhatsApp users, but there has been little formal analysis of such protocols. We formally model Code Verify using the Tamarin Prover and compare its properties to our Accountable JS protocol. We also compare Code Verify’s and Accountable JS extension's performance impacts on WhatsApp Web.

Original languageEnglish
Title of host publicationNDSS Symposium 2023 Accepted Papers
PublisherThe Internet Society
Number of pages17
ISBN (Electronic)1891562835
Publication statusPublished - 8 Feb 2023
EventNetwork and Distributed System Security (NDSS) Symposium 2023 - San Diego, United States
Duration: 27 Feb 20233 Mar 2023


ConferenceNetwork and Distributed System Security (NDSS) Symposium 2023
Abbreviated titleNDSS 2023
Country/TerritoryUnited States
CitySan Diego


Dive into the research topics of 'Accountable Javascript Code Delivery'. Together they form a unique fingerprint.

Cite this