W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2006

[whatwg] Content Restrictions

From: Hallvord Reiar Michaelsen Steen <hallvord@hallvord.com>
Date: Tue, 31 Jan 2006 13:53:43 +0900
Message-ID: <43DF6BE7.29120.384D72D2@hallvord.hallvord.com>
On 30 Jan 2006 at 22:57, Alexey Feldgendler wrote:

> > devil is in the detail. For example, how do you programmatically isolate
> > the outside and inside? If the outside sets a value on the inside, and
> > the inside has set a setter function on that value, how do you make sure
> > the setter runs with the right privileges?
> 
> All code which is physically written inside the sandbox is restricted.  
> This includes setter functions. 

This is very hard to implement. AFAIK no UA's JavaScript engine has a 
concept of the "origin" of a function. If any function is invoked by 
a thread with higher privileges, it will run with higher privileges. 
The alternative is having the UA do a security check for every 
function it intends to run, and I don't see any way to avoid a 
serious performance penalty there.

Caveat: I'm not a programmer, just a tester.

> > Also, how do you prevent inner "safe" script from e.g. overlaying
> > content on top of any arbitrary part of the page using absolutet
> > positioning? You have to try and allocate particular bits of the page to
> > particular sandboxes. That's a nightmare.
> 
> Thanks for pointing this issue out, I'll think about how to address it

Yes, it is a serious problem.

> > I know people _want_ to do it, just as people wanted pretty coloured
> > scrollbars and so IE added a proprietary extension to CSS to allow it.

Gerv, don't you see the potential here? Come on, 50% of all blogs 
will add dynamic menus! Isn't that going to be great for the web?
:-p

For the record: I think there are really good use cases for these 
ideas.

Regarding SANDBOX when I look at the discussion and points raised so 
far I sort of get the feeling that we are re-inventing IFRAME... 
Hence I'm beginning to think that we should just come up with a new 
attribute on IFRAME, called "sandbox" or "contentrestriction" or 
something like that. That way the parent page could explicitly allow 
or prevent interaction with the IFRAME. 

Just a loose idea for now..
-- 
Hallvord Reiar Michaelsen Steen
http://www.hallvord.com/
Received on Monday, 30 January 2006 20:53:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:25 UTC