... We are considering an Object.keys method, but it will only return the own, enumerable property names....
210
David-Sarah Hopwood
david.hopwood@...
May 21, 2008 7:02 pm
... I'm not convinced that it is sufficiently robust to just check for (this === window). This should work: function robustify(aType, methodName) { var proto =...
209
David-Sarah Hopwood
david.hopwood@...
May 21, 2008 1:45 pm
... From: Douglas Crockford <douglas@...> To: David-Sarah Hopwood <david.hopwood@...> Subject: Re: ADsafe attack ... The...
208
David-Sarah Hopwood
david.hopwood@...
May 21, 2008 1:44 pm
... From: Douglas Crockford <douglas@...> To: David-Sarah Hopwood <david.hopwood@...>, Mark Miller <erights@...> ...
207
David-Sarah Hopwood
david.hopwood@...
May 21, 2008 1:43 pm
[This might be a duplicate; I'm having trouble posting to this list from my usual account.] ... From: David-Sarah Hopwood...
206
David-Sarah Hopwood
david.hopwood@...
May 21, 2008 2:49 am
... From: Douglas Crockford <douglas@...> To: David-Sarah Hopwood <david.hopwood@...>, Mark Miller <erights@...> ...
205
David-Sarah Hopwood
david.hopwood@...
May 21, 2008 2:47 am
... To: Douglas Crockford <douglas@...> Subject: ADsafe attack From: David-Sarah Hopwood <david.hopwood@...> (function () { ...
204
Larry Koved
larrykoved
May 5, 2008 2:12 am
Reminder -- less than 3 week until the workshop! W2SP 2008: Web 2.0 Security and Privacy 2008 Thursday, May 22 The Claremont Resort, Oakland, California...
203
Douglas Crockford
douglascrock...
May 4, 2008 4:02 pm
ADsafe does not allow access to Date or to Math.random(). This is because we want to be able to sample ads to test their behavior and contractual compliance....
202
Douglas Crockford
douglascrock...
Apr 16, 2008 2:00 am
... And they are no longer in ADsafe. JSLint will flag them in all cases....
201
Mark S. Miller
erights@...
Apr 16, 2008 12:12 am
On Tue, Apr 15, 2008 at 4:42 PM, Douglas Crockford ... I just looked. They are not in the normative part of the ES3 spec. They appear only in Annex B. (B.2.1 &...
200
Mike Samuel
mikesamuel
Apr 16, 2008 12:02 am
... I have no stronger argument than, in code I review, it is much more frequently misused than used properly. If the goal is to allow all innocuous ES...
199
Douglas Crockford
douglascrock...
Apr 15, 2008 11:42 pm
... It is in the standard and it does not represent a leak. escape is not recommended for encoding URLs, but can be used for encoding values in cookies. Unless...
198
Douglas Crockford
douglascrock...
Apr 15, 2008 4:25 pm
I added arguments to the set of excluded members. The set now contains apply arguments call callee caller constructor eval prototype unwatch valueOf watch...
197
Mark Miller
capsecure
Apr 11, 2008 9:55 pm
On Fri, Apr 11, 2008 at 2:13 PM, David-Sarah Hopwood ... In addition to the violations noted later in this thread, there's also Math.random(). -- Text by me...
196
David-Sarah Hopwood
david.hopwood@...
Apr 11, 2008 9:13 pm
... and timezone ... And Array.prototype.toLocaleString, and String.prototype.localeCompare. Thanks for pointing this out -- it's better to have any ambient...
195
Mike Samuel
mikesamuel
Apr 11, 2008 8:12 pm
On 11/04/2008, David-Sarah Hopwood ... Ok. Understood....
194
David-Sarah Hopwood
david.hopwood@...
Apr 11, 2008 8:04 pm
... They are evaluated identically (if Infinity is an unshadowable constant), but they have different syntax trees. Crock' rule was defined syntactically; ...
193
Mike Samuel
mikesamuel
Apr 11, 2008 7:54 pm
On 11/04/2008, David-Sarah Hopwood <david.hopwood@...> ... douglas@...> ... The two are identical. From ES262 S11.2.1 ...
192
David-Sarah Hopwood
david.hopwood@...
Apr 11, 2008 3:16 pm
... IIUC, foo['-Infinity'] would be, but foo[-Infinity] wouldn't. -- David-Sarah Hopwood...
191
Mark S. Miller
erights@...
Apr 10, 2008 5:15 pm
... Currently, ADsafe is still approximately a subset of Caja. Were these added, it would cause significant breakage of the subset relationship. -- Cheers, ...
190
Mike Samuel
mikesamuel
Apr 10, 2008 5:09 pm
On 10/04/2008, David-Sarah Hopwood ... Date also provides info about the user's locale, but so does Number to some degree....
189
Douglas Crockford
douglascrock...
Apr 10, 2008 4:28 pm
... Yes. It is in anticipation of a decimal package of some sort....
188
David-Sarah Hopwood
david.hopwood@...
Apr 10, 2008 4:28 pm
... I can see the B-movie poster now :-) More seriously, all of the objects that Doug just granted access to, with the exception of Date, provide no authority...
187
♘ stay
staym_datawe...
Apr 10, 2008 3:37 pm
... Did you mean Math.PI, or is X.PI allowed for any X? -- Mike Stay stay@......
186
Douglas Crockford
douglascrock...
Apr 10, 2008 2:52 pm
... is there another exploit I am not aware of? Those are not standard globals. They are creatures of the DOM. Currently, ADsafe is not granting any access to...
185
Kris Zyp
kriszyp
Apr 10, 2008 5:18 am
... No confirm, alert, or prompt? Preventing annoyance exploits? ;) Or is there another exploit I am not aware of? Kris ... From: Douglas Crockford To:...
184
Mike Samuel
mikesamuel
Apr 10, 2008 12:00 am
... Is it really worth including {,un}escape in light of http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ? Is it a goal to support older versions...
183
Douglas Crockford
douglascrock...
Apr 9, 2008 11:48 pm
I am relaxing ADsafe to allow access to these standard globals: Array Boolean Date decodeURI decodeURIComponent encodeURI encodeURIComponent Error escape...
182
Douglas Crockford
douglascrock...
Apr 8, 2008 4:43 pm
... optimization. ... functions is pretty core functionality, and AFAIK it is necessary to form multi-level prototypical inheritance. If I want object A to ...
