- From: Hallvord R M Steen <hallvors@gmail.com>
- Date: Thu, 15 Dec 2005 14:11:13 +0100
Just playing around with ideas for other security models for SCRIPT. A script from another server today has no limits if included in a page with a SCRIPT src= tag. In many scenarios it would be interesting to a webmaster to have a sort of "grades of trust" approach and specify some more about what one would allow a foreign script to do, for example but not limited to when including third-party advertising. However, I would rather not see anything approaching the Java security model in terms of complexity. Here's what I thought: a new attribute "sandbox" (or "securitypolicy", name doesn't matter much) might tell the UA something about what the script can do: <script src="..." sandbox="writeonly"> - script may use ECMAScript features and variables already created in page but may not use any host objects or methods except document.open / .write / .close. Typical use case is advertisment scripts that only add content to document. <script src="..." sandbox="none"> - script may not alter document at all, only create variables. Typical use case is a script that just adds data from a third-party source, for example creates arrays or JSON structures. (perhaps also <script src="..." sandbox="dom"> to indicate that a script should have DOM access - but that pretty much equals access to everything, same as leaving out the sandbox attribute completely..) In all cases the limitation would apply only to the thread created by that SCRIPT tag. Functions defined in those scripts might be called later and would run with normal privileges. -- Hallvord R. M. Steen
Received on Thursday, 15 December 2005 05:11:13 UTC