jason.orendorff at gmail.com
Thu Nov 1 16:13:03 PDT 2007
On Nov 1, 2007 3:46 PM, Kris Zyp <kriszyp at xucia.com> wrote:
> >> It's a sandbox, right? Should be safe. Not so fast:
> > last they gave up. rexec was removed from the language. I know of no
> sandbox everytime there is a frame from a different domain.
That sandbox has been very carefully designed and implemented--and
reimplemented--over a period of decades by people who specialize in
the field. I don't want to get too far into it, but it's seriously
not the best analogy. The browser sandbox is complex and nuanced.
It's nontrivial to see why it's secure. It exposes rather a lot of
objects. There are many potential holes that are specially plugged.
I don't know about other browsers, but at Mozilla we still haven't
reduced the pace of vulnerabilities to zero, and these guys been at it
for some time now. (This year--2007, mind you--saw significant new
work on Mozilla's sandboxing model. Not a joke.)
What you're talking about is a simple sandbox-construction scheme.
You would want it to be the opposite of the browser sandbox in a lot
of respects. You would want it to be simple, trivially secure,
exposing a small surface of attack, devoid of special cases, and with
zero vulnerabilities by construction. All of which may be possible--I
hear .NET has some easy, high-level sandboxing APIs--but browser
But the only point I was trying to make was that providing a fun
eval(s, obj) and encouraging users to "roll their own" sandboxes would
> BTW, If only string information was allowed to flow between, this would not be nearly as difficult, right?
Urrrr, I'm not sure, but anyway that isn't the feature people are
asking for. Sandboxes are useful because they expose limited
*functionality*--meaning objects and methods--to untrusted code.
I'd better stop here, because I'm not an expert on this.
More information about the Es4-discuss