[TLUG]: ECMAScript ("Javascript") Version 4 - FALSE ALARM

Kris Zyp kriszyp at xucia.com
Wed Oct 31 09:55:11 PDT 2007

> String.prototype.evaluate = function (scope) {
>     /* eval this in scope and only scope -- no other scope chain
> contents! */
> };

To me this like an extremely useful feature for security. If future browsers
had the combination of some ability to make cross-site requests (JSONRequest
or cross site XMLHttpRequest), and this sandboxed eval, with the getters and
setters of ES4, developers can create safe sandboxes with host object
wrappers with fine grained access control to enable cross site scripts to be
loaded and executed with controlled limited ability to interact with
environments. I think if we had these capabilities, the most gaping hole in
browser security could be effectively dealt with. One thing could make this
a little smoother would be a constructor for a global object, with it's own
set of global values, Object, Array, etc. for the sandboxed code to
mutilate. Nice, but I don't think necessary.
Perhaps, I am missing something, and I don't know for sure how to capitalize
the s in security, but this seems a way more valuable asset to security than
constraints provided by fixtures and intrinsics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.mozilla.org/pipermail/es-discuss/attachments/20071031/f9578bbc/attachment-0002.html 

More information about the Es4-discuss mailing list