Mutable Proto

Mark S. Miller erights at google.com
Sun Mar 24 07:04:19 PDT 2013


[+google-caja-discuss]

On Sun, Mar 24, 2013 at 10:44 AM, Aymeric Vitte <vitteaymeric at gmail.com>
 wrote:

>
> Le 22/03/2013 19:33, Mark S. Miller a écrit :
>
> On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <vitteaymeric at gmail.com>
>  wrote:
>
>> As far as I remember  when I looked at it, there was a getfreevar
>> function or something like this parsing the code (or I misunderstood, see
>> [1] but don't read the proposal, it's wrong, even if I don't totally give
>> up with the concept).
>>
>
> Are you referring to the function atLeastFreeVarNames at <
> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/atLeastFreeVarNames.js>?
> It does scan the source using regular expressions to look for all possible
> identifiers. But it doesn't do a full parse or even lex. As a result, it
> picks up identifiers in comments and literal strings as well. Security only
> requires that the code being scanned cannot contain have a free (and
> therefore global) variable reference without it being included in
> atLeastFreeVarNames's result.
>
>
> Yes, exactly, indeed it's not parsing but "rexexpeing".
>
>
>
>
>
>>
>> But anyway, since it will change, does it exist an official document
>> about SES concepts (strawman or other) ?
>>
>
> Nothing official yet. But see
>
> https://code.google.com/p/google-caja/wiki/SES
>
> http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf
>
>
> Thanks, for [1] there is a script supposed to "tame" the page, trying to
> use a kind of home-made Object.observe which just shadows some DOM
> prototype properties and assign getters/setters,
>



You should check out the rest of Caja, which is an integrated solution that
uses
* SES to secure the JavaScript portion if on an ES5 platform
* ES5/3 to emulate ES5 and SES when on a pre-ES5 browser
* Domado to tame the DOM and browser API
* HTML and CSS rewriters that sanitize by sandboxing the scripts they
encounter rather than removing them.



> unexpectedly the behavior is different in each browser, and globally this
> does not work at all as such, maybe the override problem, more probably
> when I am back to it.
>

When used through Caja, the allowed subset of browser behaviors appear much
more uniform and reliable.
* SES compensates for the override mistake with cajaVM.tamperProof <
https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#371>
and cajaVM.def <
https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#891
>.
* ES5/3 purposely does not emulate the ES5 override mistake. This has not
broken anything yet, giving us further evidence that this mistake might
still be repairable.
* Domado presents a more regular browser API, compensating for many
differences of the underlying platform.
* The HTML and CSS rewriters emit normalized HTML and CSS, so you don't
need to worry about differences in how browsers parse the abnormal cases.

I hope these are useful for you.

Further discussion which is Caja specific and not of general interest
should occur on google-caja-discuss at googlegroups.com (cc'ed).



>
> [1] http://www.ianonym.com
>
> Regards,
>
>
> --
> jCore
> Email :  avitte at jcore.fr
> iAnonym : http://www.ianonym.com
> node-Tor : https://www.github.com/Ayms/node-Tor
> GitHub : https://www.github.com/Ayms
> Web :    www.jcore.fr
> Webble : www.webble.it
> Extract Widget Mobile : www.extractwidget.com
> BlimpMe! : www.blimpme.com
>
>

-- 
  Cheers,
  --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130324/3d27f961/attachment-0001.html>


More information about the es-discuss mailing list