[whatwg] Side effects free scripts from Alexey Feldgendler on 2006-05-28 (public-whatwg-archive@w3.org from May 2006)

From: Alexey Feldgendler <alexey@feldgendler.ru>
Date: Sun, 28 May 2006 16:47:05 +0700
Message-ID: <op.s989grer1h6og4@pancake.feldgendler.ru>

On Sun, 28 May 2006 03:31:56 +0700, Mihai Sucan <mihai.sucan at gmail.com>  
wrote:

>> Sandboxes would, of course, deal with this, but there is a much simpler  
>> measure targeted specifically at such exploits.

> Yes, sandboxes are somehow overkill, like "did the web reach this level  
> already?". That's something along the line: "do authors really need such  
> advanced capabilities?".
>
> Thinking of sandboxing is like viruses are already running in the wild.  
> However, it's better to think forward and take caution.

I didn't say sandboxes are overkill. The concept of sandboxing is a result  
of analyzing vulnerabilities found in modern web applications, like CMS,  
blogs, forums etc. They do need that level of control.

What I said is that sandboxes is a long way to go, something that probably  
won't be in common use in the next several years. However, there is a  
whole class of attacks which can be prevented by a much simpler measure,  
and that's what I was writing about.

>> 9. Optionally, execution time limit may be imposed on the thread, so  
>> that it doesn't make the document unrenderable by running an endless  
>> loop inside CSS expression().

> Of course. I like Gecko and Konqueror got the execution time limit. It's  
> something important, since authors can create malicious pages which  
> bring down the entire browser.

Actually, the execution time limit is somewhat out of scope, I just  
mentioned it because it came to my head. The limit is useful in many other  
places than those I listed, for example, for event listeners. However,  
even if such a limit is not imposed, a well-designed browser won't be  
taken down by an endless loop in a script: maybe the page will become  
unresponsive, but other open pages will be usable.

>> The above is very raw thoughts. I'd like to hear some feedback on the  
>> idea itself.

> Interesting thoughts, but I don't know why I don't find myself  
> enthusiastic about the "side-effect free script" notion you've detailed.

I would insist on taking only rational arguments into account.

> Maybe something better is still needed.

Maybe someone else will offer something better.

-- 
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com

Received on Sunday, 28 May 2006 02:47:05 UTC