I have been thinking about capabilities-based security and ES subsets like ADsafe and Caja, and was thinking about another subset that is intriguing to me and...
I have added an optional adsafe parameter to the JSLINT(source, option, adsafe) function. It is an object whose keys are global variable names and values are...
http://www.crockford.com/html/ "<module>; creates a sub-tree which can contain a document with a communication channel. See http://json.org/module.html for a ...
On Dec 9, 2007 8:49 AM, David Hopwood ... Mostly correct, but I would not describe ADsafe as implementing Cajita. Cajita was inspired by ADsafe and grew out of...
... Jeez, my mistake again. I saw http://ejohn.org/apps/adsafe/valueOf.html pop up an "uh oh" alert, did a view source, saw the above text, pasted in into...
... Hi John, I just talked to Crock. We're all agreed that this bug is serious and are relieved that it will be fixed in an upcoming Firefox release. However,...
We've previously announced the Caja project <http://code.google.com/p/google-caja/> on cap-talk, e-lang, and The Caplet Group list. Since then, in order to...
From an article in "SOA Advisor" titled "Enterprise Web 2.0, SOA Linkage: Will lack of standards be a hindrance?" by Srinivas Padmanabhuni of InfoSys. (If you...
The next step is to secure HTML fragments. JSLint has an HTML fragment option. When used with ADsafe, it will accept a <div> or <iframe> and its contents. It...
Caja is hereby open source under the Apache license 2.0. The Caja development site is at http://code.google.com/p/google-caja/ The initial draft design doc is...
Let's refer to a Javascript function that mentions 'this' as a Javascript method. When a Javascript method is called as a function, it's 'this' gets bound to...
I have relaxed the rules on words. $ and leading _ are permitted. A trailing __ is forbidden. This change makes ADsafe a subset of another safe JavaScript...
I have put more limitations on what is tolerated in HTML. I suspect there are more gremlins out there. I am worried about catch(name) clauses. The way that...
Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
Google Gears, a set of tools for offline Ajax applications, was introduced today at the Google Developer Day in San Jose. Gears is currently a browser plugin....
The Waterken server is itself built in Joe-E and provides distributed capability-based interaction for Joe-E objects via an https/json based crypto capability...
Tyler's "Bang Tutorial" <http://waterken.sourceforge.net/bang/> is the right place to start to understand the Javscript library used on the client to talk to...
We have the Mashup, which is the most interesting innovation in programming in years. But as practiced in the web browser, it is insecure. There is a clear...
I have three things to report that might be of interest to this mailing list. First, IBM Research has developed an approach called SMash whose goal is to ...
Let's look at some cases. Case 1. Pirate.net has a page with an iframe from penzance.org. The penzance widget is willing to talk to anything, and so is...
Posted on cap-talk. I will reply on cap-talk and forward my reply here as well. Further discussion of this should occur on cap-talk, but I'll forward here any...
So, someone created this group and subscribed me to it, which I do not object to, the idea is interesting. But I'm wondering who did that, and why? Cheers, ...
The protocol I spoke of is described here: (http://cap-lore.com/ CapTheory/Dist/Glass.html#introducer). It assumes two agents on the same platform and a...
A recent development in web application development is The Mashup. A mashup is a page that is obtaining data from multiple sources and producing a useful...
