Re: <iframe doc="">

On Jan 24, 2010, at 11:05 AM, Leonard Rosenthol wrote:

>> The browser can know definitively whenever it's about to run script, so it can definititively stop all 
>> possible ways of doing so without having to guess
>> 
> That seems to be an assumption that I would dispute.
> 
> A browser can know when it is about to run visible/exposed scripts in standard locations that it supports.  I agree.
> 
> HOWEVER, unless the browser has implemented (and has control over) EVERY SINGLE PART of its code - from the OS foundations to the rendering system - what it can NOT know if when scripts may be executed outside of its control.  Some video formats allow for calls outside the normal chain of execution (eg. for cuepoints and the like) - how could you prevent that if you don't know about it?  Some operating systems allow for attaching scripts to UI elements, which could be invoked simply by the UA rendering a standard control.  (and the list goes on).

I'm talking about script provided by Web content - OS-level script is not relevant. For video formats that may have embedded script, it is straightforward not to support those.

> 
> To assume that any UA is completely control of the ALL aspects of execution of ALL scripts would be wrong.

The UA needs to be aware of all possible vectors for running code that can be invoked and controlled by Web content. Any that it's not aware of are likely to be security holes, without even bringing @sandbox into it.

Regards,
Maciej

Received on Sunday, 24 January 2010 19:18:36 UTC