As stated earlier, for execution security of untrusted code, we use subsets in JavaScript. For example, when we have a credit card checking script in which a credit card number is sent to a remote server, then for this type of information security, we use subset. By defining a subset, we check the behavior of a program that we have strictly not allowed. So, it means that we use subsets for a certain amount of code, and the other part of the code is omitted.

There are two goals of a JavaScript subset:

These subset are defined for every reason.

The good parts: This is a subset that is part of the language used for the best and the worthy part of the script. The main goal of this subset is it purifies and simplifies code, and makes the script easier and more understandable. The good parts subset does not have an eval() function. It also eliminates the continue and with statements. It does not include function definition statements, and only defines function using the function definition expression. Using a function definition statement, it defines a function, and then, after defining the function, it does not use the function definition statement.

Secure subsets

There are various implementations of secure subsets. Some of them are briefly described here.

ADsafe

ADsafe (http://www.adsafe.org/) was one of the first presented security subjects. It was proposed and created by Douglas Crockford. ADsafe uses tools such asJSLint (http://www.jslint.com/) to verify the unsafe code. It enforces good programming practices, so the likelihood of unsecure code executing correctly is much higher. It blocks the script from accessing the global variables or accessing the DOM directly. Instead, it allows the script to access the ADsafe object, which provides access to a secure API and indirect access to the DOM elements. ADsafe does not alter scripts and has no impact on its functionality. It enables us to determine quickly whether the script is safe to be placed on a page. It also works as a base that helps in the development of other secure subsets.

Dojox

The dojox.secure tool (https://dojotoolkit.org/reference-guide/1.10/dojox/secure.html) is a security subset inspired from ADsafe. It is an extension of the Dojo toolkit (http://dojotoolkit.org) and was developed by Kris Zyp. It is fully packed with components that ensure safe execution and loading of untrusted code, content, ads, and widgets from a different domain. It provides a sandbox environment and limited DOM elements for interaction:

Caja

Caja (https://developers.google.com/caja/) is an open source secure subset powered by Google. Caja (which means "box" in Spanish) further defines two subsets:

• Cajita (which means "small box" in Spanish) is a narrow subset just like ADsafe and dojox.secure
• Valija (which means "suitcase" in Spanish) is a broader subset and is much more similar to ECMAScript in strict mode (with the eval() method removed)

Caja is a compiler tool that transforms third-party content such as HTML, CSS, and JS into secure code, which is then easy to embed in a website.

FBJS

FBJS (https://github.com/facebook/fbjs) is a JavaScript secure subset used by Facebook. It allows untrusted code to be executed in a secure environment. It transforms code to ensure security. During the transformation, all top-level identifiers are renamed by adding the module-specific prefix. Adding module specific prefix prevents querying any global identifiers. For example, you are developing an app having the xyz123 ID, and there is a foo() function in the code. It will eventually become xyz123_foo(). Even function calls to eval() are redirected to a non-existent function.

Microsoft's web sandbox

Microsoft's Web Sandbox (http://www.websandbox.org/) defines a broad secure subset of JavaScript, HTML, and CSS. Sandbox implements host virtualization to provide security and extensibility. The untrusted code is executed in a virtual machine instead of running directly in a browser. A virtual machine quarantines the untrusted code, which prevents it from interacting with the elements outside the virtual machine. Let's take a look at the following block diagram:

Microsoft's Web Sandbox

Lots of new and useful features have been coded. They will be standardized with the release of ES6. ES6 was set to be officially released in June 2015. However, many of the features and extensions are already available on Firefox and Chrome (Experimental JavaScript flag has to be turned on in order to access some of the ES6 features). We will discuss the major features in the rest of the chapter.

It works like variable keyword var. For declaring a constant, we use the word const. In order to use assignment we must declare constant.

The Let keyword is used for the block scoping of variables. The variables are declared at the start of the code instead of at the start of functions:

var name = "john";
console.log(name);

In the preceding example, the name john is the value of name logged in console. The declarations in JavaScript are moved to the top. The position of the variables declared or initialized in the scope of the function does not matter, and they will be hoisted to the top by default. JavaScript's default conduct is to move variable declarations to the top.

Hoisting is JavaScript's default behavior to move variable declarations to the top.

Variables in JavaScript are function scoped. This means, variables are available throughout the function, even if they are declared in a nested code block. Here is a short example in which we will log the output in the console of our client, that is, Chrome, Firefox, and so on:

var name = "john";
(function () {
  // var name = undefined;
  if (!name)
  { var name = "jane"; }
  console.log(name); // "jane"
}());

From the preceding example, the value of name used to log-in into the console is jane.

ES6 handles this issue with let. Let is very much like var. The only difference is that let is block scoped, and var is function scoped. We can rewrite the previous example using let, as shown here:

var name = "john";
(function () {
  // var name = undefined;
  if (!name) {
    let name = "jane";
  }
  console.log(name); // "john"
}());

Notice that although the value of name is jane inside the function, using the let keyword sets its scope to global and the value of name defaults to john. Hence, john is logged in the client's console.

We can assign multiple values to the variables in a function using one command.

The iteration of property value is done using this loop. The iteration of property name is done.

The object for the next method is returned. The object that is returned has _iterator_ property. The iterator is used for iteratable objects.

The generation of object is done here. A generated object is returned whenever a function invokes the this method. The yield keyword is used. The current execution of the function is specified by the generated object.

The iteratable objects with the same values in the array are shorthanded by the use of array.

The functions are shorthanded for multiple try-catch expressions. The thing that is returned is the generated object wrapped in {} and not in []. We use this for multiple values to variables in the function.