Re: Mutable Proto

Sun, 24 Mar 2013 03:41:38 -0700 


Le 22/03/2013 19:33, Mark S. Miller a écrit :
On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <vitteayme...@gmail.com <mailto:vitteayme...@gmail.com>> wrote: 

    As far as I remember  when I looked at it, there was a getfreevar
    function or something like this parsing the code (or I
    misunderstood, see [1] but don't read the proposal, it's wrong,
    even if I don't totally give up with the concept).



Are you referring to the function atLeastFreeVarNames at 
<https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/atLeastFreeVarNames.js>? 
It does scan the source using regular expressions to look for all 
possible identifiers. But it doesn't do a full parse or even lex. As a 
result, it picks up identifiers in comments and literal strings as 
well. Security only requires that the code being scanned cannot 
contain have a free (and therefore global) variable reference without 
it being included in atLeastFreeVarNames's result.


Yes, exactly, indeed it's not parsing but "rexexpeing".




    But anyway, since it will change, does it exist an official
    document about SES concepts (strawman or other) ?


Nothing official yet. But see

https://code.google.com/p/google-caja/wiki/SES
http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf




Thanks, for [1] there is a script supposed to "tame" the page, trying to 
use a kind of home-made Object.observe which just shadows some DOM 
prototype properties and assign getters/setters, unexpectedly the 
behavior is different in each browser, and globally this does not work 
at all as such, maybe the override problem, more probably when I am back 
to it.


[1] http://www.ianonym.com

Regards,

--
jCore
Email :  avi...@jcore.fr
iAnonym : http://www.ianonym.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Web :    www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com


_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss





























					Reply via email to