ZAC is a library for access control in JavaScript based on AspectScript. ZAC combines very interesting features: dynamic enforcement of policies, extensible access control specifications, and a finer granularity level in which policies are enforced at the level of objects instead of pages/scripts. Al these features augment the precision of access control policies.

Download and install instructions for zac4firefox can be found here.

Please visit this page to view ZAC in action. You can also interactively try ZAC in this page. Just write some JavaScript code, choose the restrictions you want to enforce and press “Run it!”. The code will be automatically transformed and executed in the interal frame below. The HTML code on the second textarea is also appended to the resulting page, so the JavaScript code can access it.

In the sample code below, alert is called using four different alternatives: (a) direct call, (b) indirect call (using delegation), © indirect call (using eval), and (d), scheduled invocation. The four attempts end with an exeption if the restriction R_ALERT is active. Please notice that an exception is thrown when the first alert is executed, so you will have to comment it in order to test the following ones.

The ZAC library can be downloaded from here. ZAC is based on AspectScript, which is available here.