... Maybe I'm being horribly unfair to protocol designers, but implementors do. An example is entities in URIs embedded in HTML. <a href="foo?bar=a&baz=b"> is...
125
Alan Karp
alanhkarp
Nov 13, 2007 11:21 pm
From an article in "SOA Advisor" titled "Enterprise Web 2.0, SOA Linkage: Will lack of standards be a hindrance?" by Srinivas Padmanabhuni of InfoSys. (If you...
126
Mark Miller
capsecure
Dec 2, 2007 8:08 pm
We've previously announced the Caja project <http://code.google.com/p/google-caja/> on cap-talk, e-lang, and The Caplet Group list. Since then, in order to...
127
Mark Miller
capsecure
Dec 2, 2007 8:14 pm
Successful attack on ADsafe due to a Firefox bug that is fixed in the development trunk, but apparently not expected to appear in a Firefox 2.0.0.x...
128
Mark S. Miller
erights@...
Dec 2, 2007 8:22 pm
... Just to be clear: The bug is apparently not expected to be fixed for any FF 2.0.0.x. -- Cheers, --MarkM...
129
Bill Frantz
frantz@...
Dec 2, 2007 9:48 pm
{"Fwd: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re:" removed from Subject tag for esethitic reasons.} ... One thing people building Javascript...
130
Douglas Crockford
douglascrock...
Dec 3, 2007 1:17 pm
ADsafe does not allow 'call', so foo.call(null) does not pass, but it does allow foo() I think they are calling foo as with new, so it returns this...
131
Mark Miller
capsecure
Dec 9, 2007 6:24 am
... Hi John, I just talked to Crock. We're all agreed that this bug is serious and are relieved that it will be fixed in an upcoming Firefox release. However,...
132
Mark Miller
capsecure
Dec 9, 2007 6:46 am
... Never mind. I just ran it through JSLint, tried it, and looked at it again: (function(){ var obj = {}; obj.test = obj.valueOf; obj.valueOf = function(){...
133
Douglas Crockford
douglascrock...
Dec 9, 2007 12:54 pm
... I don't understand this. What is bind in this example? When I ran it in FireFox 2.0.0.11, it reported 'obj.test.bind is not a function'....
134
Mark Miller
capsecure
Dec 9, 2007 4:11 pm
... Jeez, my mistake again. I saw http://ejohn.org/apps/adsafe/valueOf.html pop up an "uh oh" alert, did a view source, saw the above text, pasted in into...
135
Adam Barth
hk9565
Dec 9, 2007 5:22 pm
... This does point out how easy it is for a web site using ADsafe to accidentally give away its security by modifying the prototype of Object (and possibly...
136
Mark Miller
capsecure
Dec 9, 2007 6:27 pm
On Dec 9, 2007 8:49 AM, David Hopwood ... Mostly correct, but I would not describe ADsafe as implementing Cajita. Cajita was inspired by ADsafe and grew out of...
137
robertsayre2000
Jan 11, 2008 1:43 am
http://www.crockford.com/html/ "<module>; creates a sub-tree which can contain a document with a communication channel. See http://json.org/module.html for a ...
138
Douglas Crockford
douglascrock...
Jan 30, 2008 1:55 am
I have added an optional adsafe parameter to the JSLINT(source, option, adsafe) function. It is an object whose keys are global variable names and values are...
139
Mark Miller
capsecure
Jan 30, 2008 5:07 am
... From: Mike Samuel <mikesamuel@...> Date: Jan 29, 2008 8:15 PM Subject: [Caja] secure string interpolation in javascript To: Google Caja Discuss...
140
Douglas Crockford
douglascrock...
Jan 30, 2008 3:16 pm
I am on the program committee of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day...
141
Monty Zukowski
monty_zukowski
Jan 30, 2008 9:21 pm
... Very nice. I like the context scanning mechanism. I'll be curious to see what the fsm.txt looks like for SQL. It wasn't clear to me how the interpolator...
142
Mike Samuel
mikesamuel
Jan 30, 2008 9:50 pm
... Escapers can use the runtime type of the substitution values. If the SQL escaper sees an array, then it iterates over elements, and if it sees a Date, it...
143
Freeman, Tim
timothy_free...
Jan 30, 2008 10:28 pm
Seems like a good idea. As a user, I'd rather see the SQL problem solved right by having a parser that's more sophisticated than a finite state machine than to...
144
Mike Samuel
mikesamuel
Jan 30, 2008 10:42 pm
... Fair enough. It's tough to implement sophisticated and efficient parsers in javascript, but I'm sure that it's worthwhile in some contexts. Perhaps if...
145
Monty Zukowski
monty_zukowski
Feb 1, 2008 3:50 pm
... ... Now that ANTLR 3 has a retargetable backend, this might be a good motivation to get a JavaScript backend implemented. ActionScript, perl, Python &...
146
Douglas Crockford
douglascrock...
Feb 19, 2008 9:03 pm
I updated JSLint today in a step to bring more truth to this expression: JSON < ADsafe < Cajita < Caja < ES3 < Proposed ES4 ADsafe now allows all strings as...
147
Douglas Crockford
douglascrock...
Feb 20, 2008 11:38 pm
I relaxed the ADsafe.get(object, name) function. The only names it excludes now are the _hanging_underbar_ names. It allows all other names. It requires that...
148
Kris Zyp
kriszyp
Feb 27, 2008 9:02 pm
I have been thinking about capabilities-based security and ES subsets like ADsafe and Caja, and was thinking about another subset that is intriguing to me and...
149
Larry Koved
larrykoved
Mar 5, 2008 3:13 am
I am the co-chair of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day after the IEEE...
150
Kris Zyp
kriszyp
Mar 17, 2008 1:40 am
Doug/ADsafe people, Has there been any efforts to produce a lightweight minimal-sized ADsafe validator? With the coming browser capabilities in Cross-site XHR...
151
Douglas Crockford
douglascrock...
Mar 17, 2008 1:11 pm
... ADsafe validator? With the coming browser capabilities in Cross-site XHR (MS's XDR and W3C/AC proposal) and the new postMessage API, it seems there will be...
152
Douglas Crockford
douglascrock...
Mar 17, 2008 5:05 pm
Results of a quick experiment: Pulling stuff out of JSLint.js that is not needed for ADsafe validation of JavaScript produced an adsafe.js file that is 34K. I...
153
David-Sarah Hopwood
david.hopwood@...
Mar 17, 2008 5:05 pm
... A validator for a Javascript subset like ADsafe does have to check for syntactic validity, because: - it cannot trust the browser's eval to accept only...
