Le 22/03/2013 19:33, Mark S. Miller a écrit :
On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <vitteayme...@gmail.com
<mailto:vitteayme...@gmail.com>> wrote:
As far as I remember when I looked at it, there was a getfreevar
function or something like this parsing the code (or I
misunderstood, see [1] but don't read the proposal, it's wrong,
even if I don't totally give up with the concept).
Are you referring to the function atLeastFreeVarNames at
<https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/atLeastFreeVarNames.js>?
It does scan the source using regular expressions to look for all
possible identifiers. But it doesn't do a full parse or even lex. As a
result, it picks up identifiers in comments and literal strings as
well. Security only requires that the code being scanned cannot
contain have a free (and therefore global) variable reference without
it being included in atLeastFreeVarNames's result.
Yes, exactly, indeed it's not parsing but "rexexpeing".
But anyway, since it will change, does it exist an official
document about SES concepts (strawman or other) ?
Nothing official yet. But see
https://code.google.com/p/google-caja/wiki/SES
http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf
Thanks, for [1] there is a script supposed to "tame" the page, trying to
use a kind of home-made Object.observe which just shadows some DOM
prototype properties and assign getters/setters, unexpectedly the
behavior is different in each browser, and globally this does not work
at all as such, maybe the override problem, more probably when I am back
to it.
[1] http://www.ianonym.com
Regards,
--
jCore
Email : avi...@jcore.fr
iAnonym : http://www.ianonym.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Web : www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss