[Bug 11769] New: I have just implemented a 'javascript sandbox' using iframes and postMessage, exactly as intended by the specification. Thank you! It works beautifully! Safe XSS at last! Of course, now the next problem comes into view: I have all these IFrames/Objects wi

http://www.w3.org/Bugs/Public/show_bug.cgi?id=11769

           Summary: I have just implemented a 'javascript sandbox' using
                    iframes and postMessage, exactly as intended by the
                    specification. Thank you! It works beautifully! Safe
                    XSS at last! Of course, now the next problem comes
                    into view: I have all these IFrames/Objects wi
           Product: WebAppsWG
           Version: unspecified
          Platform: Other
               URL: http://www.whatwg.org/specs/web-apps/current-work/#top
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Web Messaging (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: contributor@whatwg.org
         QAContact: member-webapi-cvs@w3.org
                CC: mike@w3.org, public-webapps@w3.org


Specification: http://dev.w3.org/html5/postmsg/
Section: http://www.whatwg.org/specs/web-apps/current-work/complete.html#top

Comment:
I have just implemented a 'javascript sandbox' using iframes and postMessage,
exactly as intended by the specification. Thank you! It works beautifully!
Safe XSS at last!

Of course, now the next problem comes into view: I have all these
IFrames/Objects with their sandboxed javascript coming from remote servers
that I can talk to... but no idea how much CPU they are consuming, or when
they crash.

What's needed is something like "window.getCpuUsage()". Most of the rest of a
reasonable scheduling system can then be built entirely within javascript. 

The next obvious step would be to generalize that to all important resources 
consumed by the embedded object; memory, bandwidth, and open connections.
Views of these statistics are available within many browser debuggers, but not
on reflection to the javascript itself. This information should probably be
available to both the containing page, and the contained object.

With this one simple problem solved (detecting abusive/broken 'sub-process'
javascript by it's behavior) javascript is free to become, in many ways, a
fully-fledged operating system.

Or at the very least, slow down it's animations or entropy generator to not
totally consume all my CPU.

Jeremy Lee  BCompSci(Hons)
jeremy@unorthodox.com.au

Posted from: 58.106.139.138

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Saturday, 15 January 2011 07:54:57 UTC