[+google-caja-discuss] On Sun, Mar 24, 2013 at 10:44 AM, Aymeric Vitte <vitteayme...@gmail.com> wrote:
> > Le 22/03/2013 19:33, Mark S. Miller a écrit : > > On Fri, Mar 22, 2013 at 6:03 PM, Aymeric Vitte <vitteayme...@gmail.com> > wrote: > >> As far as I remember when I looked at it, there was a getfreevar >> function or something like this parsing the code (or I misunderstood, see >> [1] but don't read the proposal, it's wrong, even if I don't totally give >> up with the concept). >> > > Are you referring to the function atLeastFreeVarNames at < > https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/atLeastFreeVarNames.js>? > It does scan the source using regular expressions to look for all possible > identifiers. But it doesn't do a full parse or even lex. As a result, it > picks up identifiers in comments and literal strings as well. Security only > requires that the code being scanned cannot contain have a free (and > therefore global) variable reference without it being included in > atLeastFreeVarNames's result. > > > Yes, exactly, indeed it's not parsing but "rexexpeing". > > > > > >> >> But anyway, since it will change, does it exist an official document >> about SES concepts (strawman or other) ? >> > > Nothing official yet. But see > > https://code.google.com/p/google-caja/wiki/SES > > http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf > > > Thanks, for [1] there is a script supposed to "tame" the page, trying to > use a kind of home-made Object.observe which just shadows some DOM > prototype properties and assign getters/setters, > You should check out the rest of Caja, which is an integrated solution that uses * SES to secure the JavaScript portion if on an ES5 platform * ES5/3 to emulate ES5 and SES when on a pre-ES5 browser * Domado to tame the DOM and browser API * HTML and CSS rewriters that sanitize by sandboxing the scripts they encounter rather than removing them. > unexpectedly the behavior is different in each browser, and globally this > does not work at all as such, maybe the override problem, more probably > when I am back to it. > When used through Caja, the allowed subset of browser behaviors appear much more uniform and reliable. * SES compensates for the override mistake with cajaVM.tamperProof < https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#371> and cajaVM.def < https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#891 >. * ES5/3 purposely does not emulate the ES5 override mistake. This has not broken anything yet, giving us further evidence that this mistake might still be repairable. * Domado presents a more regular browser API, compensating for many differences of the underlying platform. * The HTML and CSS rewriters emit normalized HTML and CSS, so you don't need to worry about differences in how browsers parse the abnormal cases. I hope these are useful for you. Further discussion which is Caja specific and not of general interest should occur on google-caja-disc...@googlegroups.com (cc'ed). > > [1] http://www.ianonym.com > > Regards, > > > -- > jCore > Email : avi...@jcore.fr > iAnonym : http://www.ianonym.com > node-Tor : https://www.github.com/Ayms/node-Tor > GitHub : https://www.github.com/Ayms > Web : www.jcore.fr > Webble : www.webble.it > Extract Widget Mobile : www.extractwidget.com > BlimpMe! : www.blimpme.com > > -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
