Mutable Proto

Mark S. Miller erights at
Sun Mar 24 07:04:19 PDT 2013


On Sun, Mar 24, 2013 at 10:44 AM, Aymeric Vitte <vitteaymeric at>

> Le 22/03/2013 19:33, Mark S. Miller a écrit :
> On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <vitteaymeric at>
>  wrote:
>> As far as I remember  when I looked at it, there was a getfreevar
>> function or something like this parsing the code (or I misunderstood, see
>> [1] but don't read the proposal, it's wrong, even if I don't totally give
>> up with the concept).
> Are you referring to the function atLeastFreeVarNames at <
> It does scan the source using regular expressions to look for all possible
> identifiers. But it doesn't do a full parse or even lex. As a result, it
> picks up identifiers in comments and literal strings as well. Security only
> requires that the code being scanned cannot contain have a free (and
> therefore global) variable reference without it being included in
> atLeastFreeVarNames's result.
> Yes, exactly, indeed it's not parsing but "rexexpeing".
>> But anyway, since it will change, does it exist an official document
>> about SES concepts (strawman or other) ?
> Nothing official yet. But see
> Thanks, for [1] there is a script supposed to "tame" the page, trying to
> use a kind of home-made Object.observe which just shadows some DOM
> prototype properties and assign getters/setters,

You should check out the rest of Caja, which is an integrated solution that
* SES to secure the JavaScript portion if on an ES5 platform
* ES5/3 to emulate ES5 and SES when on a pre-ES5 browser
* Domado to tame the DOM and browser API
* HTML and CSS rewriters that sanitize by sandboxing the scripts they
encounter rather than removing them.

> unexpectedly the behavior is different in each browser, and globally this
> does not work at all as such, maybe the override problem, more probably
> when I am back to it.

When used through Caja, the allowed subset of browser behaviors appear much
more uniform and reliable.
* SES compensates for the override mistake with cajaVM.tamperProof <>
and cajaVM.def <
* ES5/3 purposely does not emulate the ES5 override mistake. This has not
broken anything yet, giving us further evidence that this mistake might
still be repairable.
* Domado presents a more regular browser API, compensating for many
differences of the underlying platform.
* The HTML and CSS rewriters emit normalized HTML and CSS, so you don't
need to worry about differences in how browsers parse the abnormal cases.

I hope these are useful for you.

Further discussion which is Caja specific and not of general interest
should occur on google-caja-discuss at (cc'ed).

> [1]
> Regards,
> --
> jCore
> Email :  avitte at
> iAnonym :
> node-Tor :
> GitHub :
> Web :
> Webble :
> Extract Widget Mobile :
> BlimpMe! :

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list