- From: <sird@rckc.at>
- Date: Tue, 8 Dec 2009 17:43:10 +0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
- Message-ID: <8ba534860912080143p38cded68i2b0e25732c05bf07@mail.gmail.com>
Hi Adam Yeah, I'm aware of those documents (and attacks), we've been playing with JS Sandboxes for quite some time now. I have one here: http://sandbox.sirdarckcat.net/ feel free to break it =D Gareth Heyes has another approach here: http://tinyurl.com/jsreg I think a similar approach can be used, that's why I think this is possible on Mozilla at least. To make this compatible with old browsers maybe: <script type="text/sandboxed-javascript"> would work. Greetings!! -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, 33, China On Tue, Dec 8, 2009 at 5:35 PM, Adam Barth <w3c@adambarth.com> wrote: > As you suggest, I've started a new thread. > > On Tue, Dec 8, 2009 at 1:29 AM, sird@rckc.at <sird@rckc.at> wrote: > > I also like this option: > > > > 4. add a declarative option to <link> and <style> elements to say > > the CSS parser should be in a "sandboxed" mode > > > > I am doing something like that already on ACS ( > > http://docs.google.com/View?id=ddqtfnx3_381fxp3zjf3 ) but having it on > HTML5 > > would be greaaat. > > > > Would it be possible to add it to <script>? (I also support this on ACS > > using Gareth Heyes's jsreg : http://tinyurl.com/jsreg ). > > > > In script it could work to define functions with a different principal.. > > this way the stuff in there can only work with references it receives > from > > user functions (should have the same type of protections Mozilla adds to > > addons interacting with web content with Wrappers). > > It's not as simple as that. It is very difficult to mix JavaScript > objects that belong to different principals. You can do it if you > constrain the attacker to a "safe" subset of JavaScript like Caja, but > in general, the attacker can wreck you with leaked pointers. If you'd > like to learn more about this, you might be interested in reading: > > http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf > > and possibly > > http://www.adambarth.com/papers/2009/barth-jackson-li.pdf > > Adam >
Received on Tuesday, 8 December 2009 09:44:10 UTC