- From: David Bruant <david.bruant@labri.fr>
- Date: Mon, 13 Jun 2011 15:17:35 +0200
- To: public-web-perf@w3.org
- CC: "Mark S. Miller" <erights@google.com>
Hi, setTimeout, setInterval both return an integer as an identifier. In my opinion, this is a mistake. If a milicous script comes up, and loops over an integer range, it can cancel intervals and timeouts without having been granted the right to do so. This is a security issue. I do not know how currently JS engines implement identifier generation, but If at some point, they all do the same way, implementations may start relying on this behavior hence creating yet another de-facto standard. This should be avoided. requestAnimationFrame is following the same path. I would suggest to generate a non-forgeable identifier instead of integers. I have implemented such a thing for setTimeout with JavaScript objects as identifiers (https://gist.github.com/877797). Of course, non-JS implementations do not need to use objects as non-forgeable identifiers. Non-forgeable identifiers would solve both problems (security and risk of creating de-facto standard) without introducing any issue I could think of. Cheers, David Ps : adding Mark Miller to the discussion, because we've already been discussing similar issues on es-discuss before: https://mail.mozilla.org/pipermail/es-discuss/2011-March/013227.html
Received on Monday, 13 June 2011 13:18:11 UTC