<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <div class="moz-cite-prefix">Le 22/03/2013 19:33, Mark S. Miller a
      écrit :<br>
    </div>
    <blockquote
cite="mid:CABHxS9gb3a3fVRCoDVNOHT6930hM4eP5HF2Mge4m_YiFj=2S2w@mail.gmail.com"
      type="cite">
      <div dir="ltr">On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <span
          dir="ltr"><<a moz-do-not-send="true"
            href="mailto:vitteaymeric@gmail.com" target="_blank">vitteaymeric@gmail.com</a>></span>
        wrote:<br>
        <div class="gmail_extra">
          <div class="gmail_quote">
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div text="#000000" bgcolor="#FFFFFF"> As far as I
                remember  when I looked at it, there was a getfreevar
                function or something like this parsing the code (or I
                misunderstood, see [1] but don't read the proposal, it's
                wrong, even if I don't totally give up with the
                concept).<br>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div style="">Are you referring to the function
              atLeastFreeVarNames at <<a moz-do-not-send="true"
href="https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/atLeastFreeVarNames.js">https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/atLeastFreeVarNames.js</a>>?
              It does scan the source using regular expressions to look
              for all possible identifiers. But it doesn't do a full
              parse or even lex. As a result, it picks up identifiers in
              comments and literal strings as well. Security only
              requires that the code being scanned cannot contain have a
              free (and therefore global) variable reference without it
              being included in atLeastFreeVarNames's result.</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    Yes, exactly, indeed it's not parsing but "rexexpeing".<br>
    <br>
    <blockquote
cite="mid:CABHxS9gb3a3fVRCoDVNOHT6930hM4eP5HF2Mge4m_YiFj=2S2w@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div><br>
            </div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div text="#000000" bgcolor="#FFFFFF"> <br>
                But anyway, since it will change, does it exist an
                official document about SES concepts (strawman or other)
                ?<br>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div style="">Nothing official yet. But see</div>
            <div><br>
            </div>
            <div><a moz-do-not-send="true"
                href="https://code.google.com/p/google-caja/wiki/SES">https://code.google.com/p/google-caja/wiki/SES</a><br>
            </div>
            <div><a moz-do-not-send="true"
href="http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf">http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf</a><br>
            </div>
            <div><br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    Thanks, for [1] there is a script supposed to "tame" the page,
    trying to use a kind of home-made Object.observe which just shadows
    some DOM prototype properties and assign getters/setters,
    unexpectedly the behavior is different in each browser, and globally
    this does not work at all as such, maybe the override problem, more
    probably when I am back to it.<br>
    <br>
    [1] <a class="moz-txt-link-freetext" href="http://www.ianonym.com">http://www.ianonym.com</a><br>
    <br>
    Regards,<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
jCore
Email :  <a class="moz-txt-link-abbreviated" href="mailto:avitte@jcore.fr">avitte@jcore.fr</a>
iAnonym : <a class="moz-txt-link-freetext" href="http://www.ianonym.com">http://www.ianonym.com</a>
node-Tor : <a class="moz-txt-link-freetext" href="https://www.github.com/Ayms/node-Tor">https://www.github.com/Ayms/node-Tor</a>
GitHub : <a class="moz-txt-link-freetext" href="https://www.github.com/Ayms">https://www.github.com/Ayms</a>
Web :    <a class="moz-txt-link-abbreviated" href="http://www.jcore.fr">www.jcore.fr</a>
Webble : <a class="moz-txt-link-abbreviated" href="http://www.webble.it">www.webble.it</a>
Extract Widget Mobile : <a class="moz-txt-link-abbreviated" href="http://www.extractwidget.com">www.extractwidget.com</a>
BlimpMe! : <a class="moz-txt-link-abbreviated" href="http://www.blimpme.com">www.blimpme.com</a></pre>
  </body>
</html>