Re: [RequestAnimationFrame] Integer identifiers: let's not make the same mistake again.

On Mon, Jun 13, 2011 at 6:17 AM, David Bruant <david.bruant@labri.fr> wrote:

> Hi,
>
> setTimeout, setInterval both return an integer as an identifier. In my
> opinion, this is a mistake.
> If a milicous script comes up, and loops over an integer range, it can
> cancel intervals and timeouts without having been granted the right to
> do so. This is a security issue.
>

Hi David,

I'm not sure I understand exactly what you mean here - script can only
cancel timers that it set.  Could you expand a bit on what you mean by
"granted the right to do so"?

The reason for using integer identifiers is to remain close to
setTimeout/setInteval, but I think an opaque identifier would work equally
well.  I'm not sure what benefit it would give, however.

- James


> I do not know how currently JS engines implement identifier generation,
> but If at some point, they all do the same way, implementations may
> start relying on this behavior hence creating yet another de-facto
> standard. This should be avoided.
>
> requestAnimationFrame is following the same path. I would suggest to
> generate a non-forgeable identifier instead of integers.
> I have implemented such a thing for setTimeout with JavaScript objects
> as identifiers (https://gist.github.com/877797). Of course, non-JS
> implementations do not need to use objects as non-forgeable identifiers.
> Non-forgeable identifiers would solve both problems (security and risk
> of creating de-facto standard) without introducing any issue I could
> think of.
>
> Cheers,
>
> David
>
> Ps : adding Mark Miller to the discussion, because we've already been
> discussing similar issues on es-discuss before:
> https://mail.mozilla.org/pipermail/es-discuss/2011-March/013227.html
>
>

Received on Tuesday, 28 June 2011 20:44:46 UTC