W3C home > Mailing lists > Public > public-web-perf@w3.org > June 2011

Re: [RequestAnimationFrame] Integer identifiers: let's not make the same mistake again.

From: James Robinson <jamesr@google.com>
Date: Tue, 28 Jun 2011 13:44:20 -0700
Message-ID: <CAD73mdLOKEVVcjuCMz0zZP2dFX0jAJbCZF6dKbw6KD9iO29B_g@mail.gmail.com>
To: David Bruant <david.bruant@labri.fr>
Cc: public-web-perf@w3.org, "Mark S. Miller" <erights@google.com>
On Mon, Jun 13, 2011 at 6:17 AM, David Bruant <david.bruant@labri.fr> wrote:

> Hi,
> setTimeout, setInterval both return an integer as an identifier. In my
> opinion, this is a mistake.
> If a milicous script comes up, and loops over an integer range, it can
> cancel intervals and timeouts without having been granted the right to
> do so. This is a security issue.

Hi David,

I'm not sure I understand exactly what you mean here - script can only
cancel timers that it set.  Could you expand a bit on what you mean by
"granted the right to do so"?

The reason for using integer identifiers is to remain close to
setTimeout/setInteval, but I think an opaque identifier would work equally
well.  I'm not sure what benefit it would give, however.

- James

> I do not know how currently JS engines implement identifier generation,
> but If at some point, they all do the same way, implementations may
> start relying on this behavior hence creating yet another de-facto
> standard. This should be avoided.
> requestAnimationFrame is following the same path. I would suggest to
> generate a non-forgeable identifier instead of integers.
> I have implemented such a thing for setTimeout with JavaScript objects
> as identifiers (https://gist.github.com/877797). Of course, non-JS
> implementations do not need to use objects as non-forgeable identifiers.
> Non-forgeable identifiers would solve both problems (security and risk
> of creating de-facto standard) without introducing any issue I could
> think of.
> Cheers,
> David
> Ps : adding Mark Miller to the discussion, because we've already been
> discussing similar issues on es-discuss before:
> https://mail.mozilla.org/pipermail/es-discuss/2011-March/013227.html
Received on Tuesday, 28 June 2011 20:44:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:31 UTC