- From: James Robinson <jamesr@google.com>
- Date: Tue, 28 Jun 2011 13:44:20 -0700
- To: David Bruant <david.bruant@labri.fr>
- Cc: public-web-perf@w3.org, "Mark S. Miller" <erights@google.com>
- Message-ID: <CAD73mdLOKEVVcjuCMz0zZP2dFX0jAJbCZF6dKbw6KD9iO29B_g@mail.gmail.com>
On Mon, Jun 13, 2011 at 6:17 AM, David Bruant <david.bruant@labri.fr> wrote: > Hi, > > setTimeout, setInterval both return an integer as an identifier. In my > opinion, this is a mistake. > If a milicous script comes up, and loops over an integer range, it can > cancel intervals and timeouts without having been granted the right to > do so. This is a security issue. > Hi David, I'm not sure I understand exactly what you mean here - script can only cancel timers that it set. Could you expand a bit on what you mean by "granted the right to do so"? The reason for using integer identifiers is to remain close to setTimeout/setInteval, but I think an opaque identifier would work equally well. I'm not sure what benefit it would give, however. - James > I do not know how currently JS engines implement identifier generation, > but If at some point, they all do the same way, implementations may > start relying on this behavior hence creating yet another de-facto > standard. This should be avoided. > > requestAnimationFrame is following the same path. I would suggest to > generate a non-forgeable identifier instead of integers. > I have implemented such a thing for setTimeout with JavaScript objects > as identifiers (https://gist.github.com/877797). Of course, non-JS > implementations do not need to use objects as non-forgeable identifiers. > Non-forgeable identifiers would solve both problems (security and risk > of creating de-facto standard) without introducing any issue I could > think of. > > Cheers, > > David > > Ps : adding Mark Miller to the discussion, because we've already been > discussing similar issues on es-discuss before: > https://mail.mozilla.org/pipermail/es-discuss/2011-March/013227.html > >
Received on Tuesday, 28 June 2011 20:44:46 UTC