GlassBox: Causal Runtime Policy Enforcement for Web Applications

Abstract

Web applications routinely combine first-party code,
third-party scripts, and multi-service backends. Point defenses
such as Content Security Policy, Subresource Integrity, Trusted
Types, and Fetch Metadata help, but they judge effects in
isolation and often miss cross-tier causality. We present GlassBox,
a causal runtime policy enforcement framework that links client
side sinks, network hops, and server actions into a Causal Event
Graph (CEG). Policies are written over causes (provenance,
integrity, request context) and compiled to two enforcement
points: a lightweight inlined reference monitor in the browser
and a reverse-proxy/server middleware on the backend. Our
prototype for Chromium and Node.js/NGINX composes with
existing headers rather than replacing them. On vulnerable apps
and a microservice testbed, GlassBox blocks a broad set of attacks
(97% DOM XSS, 95% cross-site request abuse, 98% supply
chain swaps) with low false positives (1.1%) and modest overhead
(median +5.1ms page-load, +1.3ms API p95). The results suggest
that causal enforcement is a practical next step for hardening
modern web stacks while preserving compatibility.