[whatwg] Side effects free scripts from Andrew Fedoniouk on 2006-06-01 (public-whatwg-archive@w3.org from May 2006)

From: Andrew Fedoniouk <news@terrainformatica.com>
Date: Wed, 31 May 2006 21:14:56 -0700
Message-ID: <003001c68531$f0cbd620$3401a8c0@TERRA>

----- Original Message ----- 
From: "Alexey Feldgendler" <alexey@feldgendler.ru>
To: <whatwg at whatwg.org>

Subject: Re: [whatwg] Side effects free scripts

> On Thu, 01 Jun 2006 05:43:42 +0700, Andrew Fedoniouk 
> <news at terrainformatica.com> wrote:
>
>> I don't know any algorithm of random number generation which is not
>> using previous value stored somewhere (seed). (I mean software based
>> random generation only)
>
> There are software random number generators which gather entropy from 
> user's input (the timing between keypresses, for example). And there are 
> hardware random nubmer generators.

How "gather entropy from user's input" is related to the Math.random() as it 
is declared in ECMAScript?

>
> Anyway, it's a theoretical discussion which is not relevant to script 
> security.

Yep.

"Given a description of a program and its initial input,
determine whether the program, when executed on this input,
ever halts (completes).  The alternative is that it runs forever
without halting. "

Alan Turing proved in 1936 that a general algorithm to solve the halting
problem for *all* possible program-input pairs cannot exist.

(Wikipedia et all)

>
> Whether Math.random() should be considered safe for side effects free 
> scripts or not is an arguable question. There is no danger in allowing 
> Math.random() in CSS expression() from the security standpoint. But at the 
> same time allowing Math.random() means that it's possible that the script 
> returns different values each time invoked, which makes the life of the 
> layout engine harder.
>

Even worse: if you have some third party code between Math.random() 
invocations in your code then you may get the same number each time.

The only feasible solution when you can guarantee something is to run 
scripts
in sandbox but this involves creation of brand new scripting VM (memory 
space, set of globals, etc.) each time you need to evaluate formula.
This is the whole point of script security.

Practically it means that CSS for example should have its own scripting 
engine or no such things as expression() at all.

What is the purpose of the expression() there, btw? :)

Andrew Fedoniouk.
http://terrainformatica.com

Received on Wednesday, 31 May 2006 21:14:56 UTC