Consider the following JavaScript source: [ /[/]/ /foo]/ + bar According to the ES3 spec, this is interpreted as: [ new RegExp("[") ] / new RegExp("foo]") +...
At http://wiki.ecmascript.org/doku.php?id=ses:ses_proposal_working_draft is posted a very rough first draft for a "Secure ECMAScript" standard, derived from...
This is announcement of the call for papers for the third in a series of successful workshops on topics related to security and privacy for Web 2.0. This...
http://apps.yahoo.com/-yNmsEV4q/ I'm "ocap capo". It (and therefore Caja) also work on an iPhone. Thanks to the Yahoo! and Zynga folks! -- Cheers, --MarkM...
The w3c Technical Architecture Group (TAG) discuss ocaps for the web starting at http://www.w3.org/2001/tag/2008/12/10-minutes#item03 teaser sample: 'DO: SW...
I implemented PPK's focus hack (http://www.quirksmode.org/blog/archives/2008/04/delegating_the.html) in ADsafe, so focus and blur events may now be delegated....
ADsafe will block the bind method. The bind method proposed for ES3.1 is safe, but the bind methods provided by the current Ajax libraries are not because they...
ADsafe will now accept subscripting expressions that use the + prefix, so koda[bosonda] can be written as koda[+bosonda] instead of as ADSAFE.get(koda,...
Not directly object-capability news, but very good news from an ocap perspective. ... From: Brendan Eich <brendan@...> Date: Wed, Aug 13, 2008 at 2:26...
On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich ... Wow. No, we had no idea. I admit that I am shocked that the one tight encapsulation mechanism in...
I created a safe option in JSLint for checking the safe subset. The adsafe option assumes the safe option, and additionally checks for ADsafe widget...
I am developing an Ajax library for ADsafe. It applies a capability discipline to the dom tree, blocking access to parents and siblings. It wraps collections...
Recently I have been working on a new project, dojox.secure, to add a secure mechanism to Dojo for loading and executing untrusted code and widgets, and I...
I have been investigating an idea for a secure cross-site transport. It seems unlikely that no one has done anything like this before, but I can't find any...
I relaxed some of the restrictions on the get method. It still requires that the object is in fact an object (and not a function), but it allows the returning...
ADsafe now allows long dot expressions that refine the allowed global variables. So ADSAFE.koda.bosanda.bosoya.tikki.ottobo(); is now acceptable. JSLint's UI...
I am on the program committee of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day...
ADsafe does not allow access to Date or to Math.random(). This is because we want to be able to sample ads to test their behavior and contractual compliance....
I added arguments to the set of excluded members. The set now contains apply arguments call callee caller constructor eval prototype unwatch valueOf watch...
I am relaxing ADsafe to allow access to these standard globals: Array Boolean Date decodeURI decodeURIComponent encodeURI encodeURIComponent Error escape...
Is there any documentation available on the specific attacks that the various rules in ADsafe are protecting against? Most of the rules are pretty obvious, but...
Doug/ADsafe people, Has there been any efforts to produce a lightweight minimal-sized ADsafe validator? With the coming browser capabilities in Cross-site XHR...
I have been thinking about capabilities-based security and ES subsets like ADsafe and Caja, and was thinking about another subset that is intriguing to me and...
