Mark S. Miller
erights at google.com
Sun Mar 24 07:04:19 PDT 2013
On Sun, Mar 24, 2013 at 10:44 AM, Aymeric Vitte <vitteaymeric at gmail.com>
> Le 22/03/2013 19:33, Mark S. Miller a écrit :
> On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <vitteaymeric at gmail.com>
>> As far as I remember when I looked at it, there was a getfreevar
>> function or something like this parsing the code (or I misunderstood, see
>>  but don't read the proposal, it's wrong, even if I don't totally give
>> up with the concept).
> Are you referring to the function atLeastFreeVarNames at <
> It does scan the source using regular expressions to look for all possible
> identifiers. But it doesn't do a full parse or even lex. As a result, it
> picks up identifiers in comments and literal strings as well. Security only
> requires that the code being scanned cannot contain have a free (and
> therefore global) variable reference without it being included in
> atLeastFreeVarNames's result.
> Yes, exactly, indeed it's not parsing but "rexexpeing".
>> But anyway, since it will change, does it exist an official document
>> about SES concepts (strawman or other) ?
> Nothing official yet. But see
> Thanks, for  there is a script supposed to "tame" the page, trying to
> use a kind of home-made Object.observe which just shadows some DOM
> prototype properties and assign getters/setters,
You should check out the rest of Caja, which is an integrated solution that
* ES5/3 to emulate ES5 and SES when on a pre-ES5 browser
* Domado to tame the DOM and browser API
* HTML and CSS rewriters that sanitize by sandboxing the scripts they
encounter rather than removing them.
> unexpectedly the behavior is different in each browser, and globally this
> does not work at all as such, maybe the override problem, more probably
> when I am back to it.
When used through Caja, the allowed subset of browser behaviors appear much
more uniform and reliable.
* SES compensates for the override mistake with cajaVM.tamperProof <
and cajaVM.def <
* ES5/3 purposely does not emulate the ES5 override mistake. This has not
broken anything yet, giving us further evidence that this mistake might
still be repairable.
* Domado presents a more regular browser API, compensating for many
differences of the underlying platform.
* The HTML and CSS rewriters emit normalized HTML and CSS, so you don't
need to worry about differences in how browsers parse the abnormal cases.
I hope these are useful for you.
Further discussion which is Caja specific and not of general interest
should occur on google-caja-discuss at googlegroups.com (cc'ed).
>  http://www.ianonym.com
> Email : avitte at jcore.fr
> iAnonym : http://www.ianonym.com
> node-Tor : https://www.github.com/Ayms/node-Tor
> GitHub : https://www.github.com/Ayms
> Web : www.jcore.fr
> Webble : www.webble.it
> Extract Widget Mobile : www.extractwidget.com
> BlimpMe! : www.blimpme.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss