- From: Joshua Cranmer <Pidgeot18@verizon.net>
- Date: Tue, 04 Feb 2014 10:29:57 -0600
- To: public-htmail@w3.org
On 2/4/2014 10:11 AM, Robin Berjon wrote: > On 04/02/2014 14:08 , Innovimax SARL wrote: >> It could be a huge mess to allow **any** library, but it might be a good >> idea to include already well known library >> >> On the top of my head JQuery, Prototype, Processing.js which could be a >> list as in http://jsfiddle.net/ > > Part of the problem with allowing JS — *any* JS — is that in the > webmail case you need to ensure that it can only manipulate the > rendering of the email itself, and not the UI around it. > > And even then, it opens up a whole new can of worms (literally). For > instance, you could send innocuous-looking attachments and > innocuous-looking JS but if the latter were to modify the former (even > just by generating a Blob URL and linking to it) then you've made it > past a lot of virus checks. There's another can of worms, too: JS can also have the potential to access the XHR features of the website itself, which means a malicious script (if the sandboxing breaks down) can do things like "forward all of my messages to a third party without telling me." -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth
Received on Tuesday, 4 February 2014 16:30:44 UTC