W3C home > Mailing lists > Public > public-web-perf@w3.org > June 2011

[RequestAnimationFrame] Integer identifiers: let's not make the same mistake again.

From: David Bruant <david.bruant@labri.fr>
Date: Mon, 13 Jun 2011 15:17:35 +0200
Message-ID: <4DF60DEF.7060005@labri.fr>
To: public-web-perf@w3.org
CC: "Mark S. Miller" <erights@google.com>
Hi,

setTimeout, setInterval both return an integer as an identifier. In my
opinion, this is a mistake.
If a milicous script comes up, and loops over an integer range, it can
cancel intervals and timeouts without having been granted the right to
do so. This is a security issue.
I do not know how currently JS engines implement identifier generation,
but If at some point, they all do the same way, implementations may
start relying on this behavior hence creating yet another de-facto
standard. This should be avoided.

requestAnimationFrame is following the same path. I would suggest to
generate a non-forgeable identifier instead of integers.
I have implemented such a thing for setTimeout with JavaScript objects
as identifiers (https://gist.github.com/877797). Of course, non-JS
implementations do not need to use objects as non-forgeable identifiers.
Non-forgeable identifiers would solve both problems (security and risk
of creating de-facto standard) without introducing any issue I could
think of.

Cheers,

David

Ps : adding Mark Miller to the discussion, because we've already been
discussing similar issues on es-discuss before:
https://mail.mozilla.org/pipermail/es-discuss/2011-March/013227.html
Received on Monday, 13 June 2011 13:18:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 13 June 2011 13:18:12 GMT