Web security is a broad and evolving subject, and partly as a result, there isn't a single definitive up-to-date description or paper. In this class, we broadly divide web security into three parts: server-side security (exemplified by privilege separation ideas as in lab 2 or Google's infrastructure security), client-side security (worrying about how to isolate many web sites and web applications running in a user's browser), and network security (worrying about network-level attackers). In this lecture, we will turn our attention to client-side security (with network security to come later on).
To start learning about client-side security in web browsers, instead of asking you to read a specific paper, we have put together the following collection of documents that you should read in preparation for lecture.
First, read about the basic security mechanisms underlying client-side security in a browser:
Next, read about common vulnerabilities in web applications, along with browser mechanisms developed to mitigate them:
A wonderful and detailed book about web security is The Tangled Web by Michal Zalewski. It is a bit dated at this point, having been published in 2012; many developments have taken place in web security since then. It is also very detailed, making it somewhat challenging to extract the big picture from it. However, in many ways it is still accurate, and many of the details described in the book are still important for security. You can access "The Tangled Web" online through the MIT libraries' subscription to O'Reilly Online Learning; the link can be found by searching for the book in the MIT library catalog. Chapters 9-13 are the most relevant for the web security lectures in this class.