On Dec 11, 12:55 pm, [EMAIL PROTECTED] wrote: > On Dec 11, 3:16 am, Attila Szegedi <[EMAIL PROTECTED]> wrote: > > > > > Hi there, > > > I'll take a shot, as the party guilty of bringing > > PolicySecurityController into existence... > > > As far as the PolicySecurityController and the policy file are > > concerned, I think you're doing it completely correctly. That's the > > way to do it -- you gave all permissions to the code you trust, and no > > permissions to other code. Writing to System.out is however never > > subject to a security check. > > > If you want to disallow access to java.* Packages.* etc, just remove > > them from the scope after you invoked initStandardObjects() > > > It's very late here and I'm barely awake right now, so I won't > > elaborate further at the moment -- if you'd need further information, > > please shout and I'll try to follow up tomorrow. > > > Attila. > > > -- > > home:http://www.szegedi.org > > twitter:http://twitter.com/szegedi > > weblog:http://constc.blogspot.com > > That's progress, I suppose. :-) > > My instinct tells me that what I should do, then, is do > initStandardObjects() and then iterate over all symbols in the scope, > removing (using Scriptable.delete() if that guess isn't wrong) any > that don't appear in, for example, the Standard Objects list (<https:// > developer.mozilla.org/en/ > Core_JavaScript_1.5_Reference#Standard_global_objects>) instead of > specifically removing java, Packages, sun, and so forth, because I'm > paranoid like that...
This reminds me of bug 468385: https://bugzilla.mozilla.org/show_bug.cgi?id=468385 Maybe we should have a mechanism to give embedders better control over global objects. Hannes > Is there any straightforward way to voluntarily forbid actions that > would normally pass unchecked, like the aforementioned stdio? > > In any case, thanks a zillion; I think I can begin to move forward to > the next roadblock. > > danx > dro _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
