http://www.crockford.com/html/ "<module> creates a sub-tree which can contain a document with a communication channel. See http://json.org/module.html for a ...
I have added an optional adsafe parameter to the JSLINT(source, option, adsafe) function. It is an object whose keys are global variable names and values are...
I am on the program committee of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day...
... Very nice. I like the context scanning mechanism. I'll be curious to see what the fsm.txt looks like for SQL. It wasn't clear to me how the interpolator...
... Escapers can use the runtime type of the substitution values. If the SQL escaper sees an array, then it iterates over elements, and if it sees a Date, it...
Seems like a good idea. As a user, I'd rather see the SQL problem solved right by having a parser that's more sophisticated than a finite state machine than to...
... Fair enough. It's tough to implement sophisticated and efficient parsers in javascript, but I'm sure that it's worthwhile in some contexts. Perhaps if...
... ... Now that ANTLR 3 has a retargetable backend, this might be a good motivation to get a JavaScript backend implemented. ActionScript, perl, Python &...
I updated JSLint today in a step to bring more truth to this expression: JSON < ADsafe < Cajita < Caja < ES3 < Proposed ES4 ADsafe now allows all strings as...
I relaxed the ADsafe.get(object, name) function. The only names it excludes now are the _hanging_underbar_ names. It allows all other names. It requires that...
I have been thinking about capabilities-based security and ES subsets like ADsafe and Caja, and was thinking about another subset that is intriguing to me and...
I am the co-chair of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day after the IEEE...
Doug/ADsafe people, Has there been any efforts to produce a lightweight minimal-sized ADsafe validator? With the coming browser capabilities in Cross-site XHR...
... ADsafe validator? With the coming browser capabilities in Cross-site XHR (MS's XDR and W3C/AC proposal) and the new postMessage API, it seems there will be...
Results of a quick experiment: Pulling stuff out of JSLint.js that is not needed for ADsafe validation of JavaScript produced an adsafe.js file that is 34K. I...
... A validator for a Javascript subset like ADsafe does have to check for syntactic validity, because: - it cannot trust the browser's eval to accept only...
David-Sarah Hopwood
david.hopwood@...
Mar 17, 2008 5:05 pm
154
Here is my attempt at an ADsafe validator: http://www.persvr.org/test/capability-validate.html Let me know if anyone can find any false acceptances (scripts...
... get successfully eval'ed that are unsafe). ... presume that it is also a lot faster since it is using simpler regex-based checking rather than full AST...
... Yes, regular expression based validation does seem impropable. However, it seems like you could also make an argument that it easier to reason about and...
... Do we have a regression test suite of tricky examples? For instance, I don't see the string "cc_on" in Kris' validator, but that feature tripped up ADsafe...
... Can you disallow @ outside of string literals entirely? What if ADSafe code is included in a container that has @cc_on, and does an @set that overrides a...
... '@' does not appear anywhere in the ES3 grammar outside string literals, regexp literals, and comments, right? Isn't ADsafe defined to be a subset of ES3? ...
David-Sarah Hopwood
david.hopwood@...
Mar 21, 2008 11:09 pm
161
On 21/03/2008, David-Sarah Hopwood ... Yep. @ often appears in JSDoc style comments: http://jsdoc.sourceforge.net/#tagref so banning @ in comments might make...
... I meant my point a bit more generally: Assume that any extension to strict ES3 is designed by an evil genius trying to break ADsafe (or Caja, or whatever),...
David-Sarah Hopwood
david.hopwood@...
Mar 22, 2008 3:04 am
164
On 21/03/2008, David-Sarah Hopwood ... Or a committee of evil geniuses. ... Caja deals with many of these problems by rewriting. We can deal perfectly well...
... Also, because with the new cross-site XHR and XDR capabilities, web sites can directly request the scripts from other sites, which can potentially be...
Is there any documentation available on the specific attacks that the various rules in ADsafe are protecting against? Most of the rules are pretty obvious, but...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
