- From: James M Snell <jasnell@gmail.com>
- Date: Fri, 12 Jan 2007 08:34:03 -0800
Hello, I've recently been musing over some ideas around sandboxing scripts and styles within a document [1]. The basic idea is to have some means of isolating potentially untrustworthy scripts. From my blog entry: "Scripts within the sandbox would only see the DOM of the sandbox. Methods defined outside the sandbox would still be accessible. External methods could return objects from outside the sandbox." The example I go on to give is this: <html> <body> <script> function getElement(id) { return document.getElementById(id); } </script> <sandbox id="a"> <div id="a1"></div> <script> // this will fail because b1 does not exist in sandbox a document.getElementById('b1').innerHTML = "foo"; // this will succeed because getElement(id) can be called from within sandbox a getElement('b1').innerHTML = "foo"; </script> </sandbox> <sandbox id="b"> <div id="b1"></div> </sandbox> </body> </html> The use of the sandbox tag is purely illustrative. As Asbj?rn Ulsberg points out in the comments on my entry, the same effect could be achieved using either a new DOM and/or CSS property. For instance, we could replace the <sandbox> with <div style="scripts:restricted"> (or some variation thereof). Whatever shape the mechanism ultimately takes, having a way of isolating scripts within a document would be extremely beneficial. Thoughts? - James [1] http://www.snellspace.com/wp/?p=582
Received on Friday, 12 January 2007 08:34:03 UTC