W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2011

[whatwg] Prevent a document from being manipulated by a "top" document

From: John Tamplin <jat@google.com>
Date: Tue, 2 Aug 2011 12:14:22 -0400
Message-ID: <CABLsOLDRtgK0jiBMJM0PDiQqE4PbqWdaHQ0aR75YF9i+PgqbjQ@mail.gmail.com>
On Tue, Aug 2, 2011 at 7:15 AM, Dennis Joachimsthaler <dennis at efjot.de>wrote:

> Am 02.08.2011, 13:12 Uhr, schrieb Anne van Kesteren <annevk at opera.com
>
>
>> If users cannot trust their userscripts and addons (provided they can do
>> unsafe things) they have lost already.
>>
>>
> True. We do not make standards solely to protect inexperienced users.
>
> Thank you for your insight on this matter, though.
>

If you need to run untrusted code, consider
Caja<http://code.google.com/p/google-caja/>.
 JS itself doesn't provide the necessary mechanisms to safely execute
untrusted code, so either you trust the code you are running completely (at
least to the limits of what you can enforce running it in an iframe jail) or
you do something like Caja.

-- 
John A. Tamplin
Software Engineer (GWT), Google
Received on Tuesday, 2 August 2011 09:14:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:08 UTC