2009/12/8 Adam Barth <w3c@adambarth.com> > It's not as simple as that. It is very difficult to mix JavaScript > objects that belong to different principals. You can do it if you > constrain the attacker to a "safe" subset of JavaScript like Caja, but > in general, the attacker can wreck you with leaked pointers. > I constrain javascript using $$ rewriting. So for example:- x=alert; x(1) Becomes:- var $x$;$window$.$x$=$x$; $x$=$alert$; $x$(Number(1)) The code is executed in a iframe window and every function/property is whitelisted. var is used to make all variables fallback to local scope and a fake window object is used when doing stuff like:- (1,[].sort)() // Firefox leaks window I run a syntax check using function before and after the conversion. It seems pretty safe but I haven't really had much help apart from a few people on sla.ckers. The only drawback is objects that belong to another window, in that case I need to pass the window scope to check if objects return to window.
Received on Tuesday, 8 December 2009 09:44:25 UTC