I relaxed some of the restrictions on the get method. It still requires that the object is in fact an object (and not a function), but it allows the returning...
ADsafe now allows long dot expressions that refine the allowed global variables. So ADSAFE.koda.bosanda.bosoya.tikki.ottobo(); is now acceptable. JSLint's UI...
I am on the program committee of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day...
ADsafe does not allow access to Date or to Math.random(). This is because we want to be able to sample ads to test their behavior and contractual compliance....
I added arguments to the set of excluded members. The set now contains apply arguments call callee caller constructor eval prototype unwatch valueOf watch...
I am relaxing ADsafe to allow access to these standard globals: Array Boolean Date decodeURI decodeURIComponent encodeURI encodeURIComponent Error escape...
Is there any documentation available on the specific attacks that the various rules in ADsafe are protecting against? Most of the rules are pretty obvious, but...
Doug/ADsafe people, Has there been any efforts to produce a lightweight minimal-sized ADsafe validator? With the coming browser capabilities in Cross-site XHR...
I have been thinking about capabilities-based security and ES subsets like ADsafe and Caja, and was thinking about another subset that is intriguing to me and...
I have added an optional adsafe parameter to the JSLINT(source, option, adsafe) function. It is an object whose keys are global variable names and values are...
http://www.crockford.com/html/ "<module>; creates a sub-tree which can contain a document with a communication channel. See http://json.org/module.html for a ...
On Dec 9, 2007 8:49 AM, David Hopwood ... Mostly correct, but I would not describe ADsafe as implementing Cajita. Cajita was inspired by ADsafe and grew out of...
... Jeez, my mistake again. I saw http://ejohn.org/apps/adsafe/valueOf.html pop up an "uh oh" alert, did a view source, saw the above text, pasted in into...
... Hi John, I just talked to Crock. We're all agreed that this bug is serious and are relieved that it will be fixed in an upcoming Firefox release. However,...
We've previously announced the Caja project <http://code.google.com/p/google-caja/> on cap-talk, e-lang, and The Caplet Group list. Since then, in order to...
From an article in "SOA Advisor" titled "Enterprise Web 2.0, SOA Linkage: Will lack of standards be a hindrance?" by Srinivas Padmanabhuni of InfoSys. (If you...
The next step is to secure HTML fragments. JSLint has an HTML fragment option. When used with ADsafe, it will accept a <div> or <iframe> and its contents. It...
Caja is hereby open source under the Apache license 2.0. The Caja development site is at http://code.google.com/p/google-caja/ The initial draft design doc is...
Let's refer to a Javascript function that mentions 'this' as a Javascript method. When a Javascript method is called as a function, it's 'this' gets bound to...
I have relaxed the rules on words. $ and leading _ are permitted. A trailing __ is forbidden. This change makes ADsafe a subset of another safe JavaScript...
I have put more limitations on what is tolerated in HTML. I suspect there are more gremlins out there. I am worried about catch(name) clauses. The way that...
Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
Google Gears, a set of tools for offline Ajax applications, was introduced today at the Google Developer Day in San Jose. Gears is currently a browser plugin....
