"Remaining Hazards and Mitigating Patterns of Secure Mashups in ECMAScript 5"

Aymeric Vitte vitteaymeric at gmail.com
Tue Mar 20 16:41:18 PDT 2012


Thanks for your answer, I am myself involved since some time in the DOM 
and gadgets/widgets's interaction topic.

I will hear the presentation, right now I have a (stupid) problem of non 
working headphones.

Bob and Alice are ok, but sometimes a good real example can help (last 
paragraph).

setTimeout(xxx, 0 or 1 or 2 or 500) could be questionable because this 
is supposed to be fordidden (or not good code...), but surprisingly all 
major sites do use it, myself too (https://github.com/Ayms/node-dom), 
regarding http://dbaron.org/log/20100309-faster-timeouts : web workers 
or postmessage --> bof, I used both in the past for other purposes, 
prefer setTimeout here

Then if I understand correctly a short summary could be that Caja does 
help for example iGoogle to move gadgets outside of iframes then they 
potentially could hurt things but Caja does prevent it and allow them to 
interact between each others safely (using ES5 improvements)

OK but not everybody is coding safely like Google (even if iGoogle code 
is very surprising...), then it's difficult to estimate the overall 
benefit and usuability.


    It's the same issue as multiple globals (if the concept of globals
    still exist in the future) I believe : how to separate completely
    several contexts while using objects between each others ? Looks
    very difficult


It's not exactly the same case in fact, except if each gadget becomes an 
entity with its global object derived from itself (but not an iframe)

For proxies, I am not expert, what does it bring to emulate the dom 
faithfully ?

Le 20/03/2012 06:27, Mark S. Miller a écrit :
> On Mon, Mar 19, 2012 at 3:10 PM, Aymeric Vitte <vitteaymeric at gmail.com 
> <mailto:vitteaymeric at gmail.com>> wrote:
>
>     'Avoid “this”. Use closures rather than prototypes'
>
>     Probably the public was stunned by that one... (technical problems
>     too, could not hear the video, just saw the slides)
>
>
> Not really. I expected more resistance than I got. During the 20 
> minutes of lively Q&A, this came up again. I clarified then something 
> I should have said earlier in the talk. The objects that need to be 
> defensive are those that might be exposed across a trust boundary, 
> such as the counter in the first example. For objects purely inside 
> one trust domain, given that we really are confident they cannot 
> escape, they do not need to be defensive since their clients are all 
> presumably intimately cooperative.
>
>
>     Technically for the purpose of your presentation, it is correct,
>     but I am coming back again to real life, you are using strict mode
>     and other means (such as questionnable setTimeout(xxx,0)) to
>     secure Bob.
>
>
> Sorry, but we're using these techniques in real life. And what's 
> questionable about setTimeout? (or better, 
> <http://dbaron.org/log/20100309-faster-timeouts>)
>
>
>     Then what is the use of Bob if he can not do anything outside of
>     himself ?
>
>
> Please do make an effort to surmount whatever technical difficulties 
> you encountered, so that you can listen to the audio of the 
> presentation. The slides were not constructed to be self explanatory, 
> and the talk was clear on this point.
>
>
>     A much more trivial security leak could be that the calling
>     context does somewhere unexpectedly (or not) something like
>     counter.x.y.z=window (Ex : like passing a node to Bob since it
>     seems that Bob has to do some stuff with the dom to be usefull)
>
>
> If Alice does not trust Bob, Alice should generally never give Bob 
> direct unmediated access to one of her dom nodes. Instead, she gives 
> him access to a virtual dom tree that wraps the real dom tree, 
> allowing Bob to manipulate a subtree of Alice's dom tree. We 
> constructed the Domado library 
> <http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/plugin/domado.js> 
> for exactly this purpose.
>
> The difficultly of emulating the dom faithfully in JS was also the 
> original impetus for the proxy work. The Domado library above does not 
> rely on proxies, as they are not yet as available as ES5.
>
>
>     It's the same issue as multiple globals (if the concept of globals
>     still exist in the future) I believe : how to separate completely
>     several contexts while using objects between each others ? Looks
>     very difficult
>
>     I might be wrong, but on what today's examples the demonstration
>     here could apply without Bob being useless or just returning
>     something like a mathematical calculation or such not touching
>     anything in the page ?
>
>
> I'm sorry, I didn't understand these last two paragraphs. Could you 
> clarify?
>
> You might also want to try some of the scenarios you have in mind at 
> <https://caja.appspot.com/>.
>
>
> -- 
>     Cheers,
>     --MarkM

-- 
jCore
Email :  avitte at jcore.fr
Web :    www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120321/9dfb8cbc/attachment-0001.html>


More information about the es-discuss mailing list