- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 28 Mar 2011 14:06:10 -0700
- To: public-web-security@w3.org
Sorry for spamming the list with lots of questions. I'm just emailing questions as they come up in the implementation. [[ User-agents must prevent strings from being converted to ECMAScript code, including calls to: eval() new Function() constructor setTimeout() called with a String argument setInterval() called with a String argument ]] Suppose the page does call setTimeout with a string. How should the user agent handle the error? For example, in Step 6 of http://www.whatwg.org/specs/web-apps/current-work/#dom-windowtimers-settimeout, the user agent is instructed to "Return handle". Should that step occur or should we return a null handle? Should setTimeout throw an exception? There are similar questions for the other functions that convert strings to code. Also, what about non-ECMAScript code? For example, if the user agent supported VBScript as a scripting language (e.g., Internet Explorer), should the user agent prevent strings from being turned into that sort of code? Proposal: We should return a null handle from setTimeout and setInterval. That lets the page detect the error would being so drastic as to throw an exception. We could also log to the error console (and of course report via the reporting-uri) to make the error more visible to developers. Adam
Received on Monday, 28 March 2011 21:07:16 UTC