Mutable Proto

Mark S. Miller erights at google.com
Fri Mar 22 11:33:51 PDT 2013


On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <vitteaymeric at gmail.com>wrote:

>  As far as I remember  when I looked at it, there was a getfreevar
> function or something like this parsing the code (or I misunderstood, see
> [1] but don't read the proposal, it's wrong, even if I don't totally give
> up with the concept).
>

Are you referring to the function atLeastFreeVarNames at <
https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/atLeastFreeVarNames.js>?
It does scan the source using regular expressions to look for all possible
identifiers. But it doesn't do a full parse or even lex. As a result, it
picks up identifiers in comments and literal strings as well. Security only
requires that the code being scanned cannot contain have a free (and
therefore global) variable reference without it being included in
atLeastFreeVarNames's result.



>
> But anyway, since it will change, does it exist an official document about
> SES concepts (strawman or other) ?
>

Nothing official yet. But see

https://code.google.com/p/google-caja/wiki/SES
http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf



>
> Regards,
>
> [1] https://gist.github.com/Ayms/2995641#another-approach-can-be-cajavm-
>
> Le 21/03/2013 22:17, Kevin Reid a écrit :
>
>  Correction:
>
> On Thu, Mar 21, 2013 at 2:16 PM, Kevin Reid <kpreid at google.com> wrote:
>
>> Yes. SES requires 'with' as a means to hook into 'global' variable reads
>> and writes; without it, it is impossible
>
>
>  without performing a parse and scope analysis of the code to be evaluated
>
>
>> to emulate the semantics of browser global environments, such as in:
>
>
>
>
>
> _______________________________________________
> es-discuss mailing listes-discuss at mozilla.orghttps://mail.mozilla.org/listinfo/es-discuss
>
>
> --
> jCore
> Email :  avitte at jcore.fr
> iAnonym : http://www.ianonym.com
> node-Tor : https://www.github.com/Ayms/node-Tor
> GitHub : https://www.github.com/Ayms
> Web :    www.jcore.fr
> Webble : www.webble.it
> Extract Widget Mobile : www.extractwidget.com
> BlimpMe! : www.blimpme.com
>
>


-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130322/9ba144c5/attachment-0001.html>


More information about the es-discuss mailing list