From an article in "SOA Advisor" titled "Enterprise Web 2.0, SOA Linkage: Will lack of standards be a hindrance?" by Srinivas Padmanabhuni of InfoSys. (If you...
We've previously announced the Caja project <http://code.google.com/p/google-caja/> on cap-talk, e-lang, and The Caplet Group list. Since then, in order to...
... Just to be clear: The bug is apparently not expected to be fixed for any FF 2.0.0.x. -- Cheers, --MarkM...
Mark S. Miller
erights@...
Dec 2, 2007 8:22 pm
129
{"Fwd: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re:" removed from Subject tag for esethitic reasons.} ... One thing people building Javascript...
Bill Frantz
frantz@...
Dec 2, 2007 9:48 pm
130
ADsafe does not allow 'call', so foo.call(null) does not pass, but it does allow foo() I think they are calling foo as with new, so it returns this...
... Hi John, I just talked to Crock. We're all agreed that this bug is serious and are relieved that it will be fixed in an upcoming Firefox release. However,...
... Never mind. I just ran it through JSLint, tried it, and looked at it again: (function(){ var obj = {}; obj.test = obj.valueOf; obj.valueOf = function(){...
... Jeez, my mistake again. I saw http://ejohn.org/apps/adsafe/valueOf.html pop up an "uh oh" alert, did a view source, saw the above text, pasted in into...
... This does point out how easy it is for a web site using ADsafe to accidentally give away its security by modifying the prototype of Object (and possibly...
On Dec 9, 2007 8:49 AM, David Hopwood ... Mostly correct, but I would not describe ADsafe as implementing Cajita. Cajita was inspired by ADsafe and grew out of...
http://www.crockford.com/html/ "<module> creates a sub-tree which can contain a document with a communication channel. See http://json.org/module.html for a ...
I have added an optional adsafe parameter to the JSLINT(source, option, adsafe) function. It is an object whose keys are global variable names and values are...
I am on the program committee of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day...
... Very nice. I like the context scanning mechanism. I'll be curious to see what the fsm.txt looks like for SQL. It wasn't clear to me how the interpolator...
... Escapers can use the runtime type of the substitution values. If the SQL escaper sees an array, then it iterates over elements, and if it sees a Date, it...
Seems like a good idea. As a user, I'd rather see the SQL problem solved right by having a parser that's more sophisticated than a finite state machine than to...
... Fair enough. It's tough to implement sophisticated and efficient parsers in javascript, but I'm sure that it's worthwhile in some contexts. Perhaps if...
... ... Now that ANTLR 3 has a retargetable backend, this might be a good motivation to get a JavaScript backend implemented. ActionScript, perl, Python &...
I updated JSLint today in a step to bring more truth to this expression: JSON < ADsafe < Cajita < Caja < ES3 < Proposed ES4 ADsafe now allows all strings as...
I relaxed the ADsafe.get(object, name) function. The only names it excludes now are the _hanging_underbar_ names. It allows all other names. It requires that...
I have been thinking about capabilities-based security and ES subsets like ADsafe and Caja, and was thinking about another subset that is intriguing to me and...
I am the co-chair of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day after the IEEE...
Doug/ADsafe people, Has there been any efforts to produce a lightweight minimal-sized ADsafe validator? With the coming browser capabilities in Cross-site XHR...
... ADsafe validator? With the coming browser capabilities in Cross-site XHR (MS's XDR and W3C/AC proposal) and the new postMessage API, it seems there will be...
Results of a quick experiment: Pulling stuff out of JSLint.js that is not needed for ADsafe validation of JavaScript produced an adsafe.js file that is 34K. I...
... A validator for a Javascript subset like ADsafe does have to check for syntactic validity, because: - it cannot trust the browser's eval to accept only...
David-Sarah Hopwood
david.hopwood@...
Mar 17, 2008 5:05 pm
154
Here is my attempt at an ADsafe validator: http://www.persvr.org/test/capability-validate.html Let me know if anyone can find any false acceptances (scripts...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
