On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich ... Wow. No, we had no idea. I admit that I am shocked that the one tight encapsulation mechanism in...
233
Mark S. Miller
erights@...
Jun 27, 2008 8:50 pm
... Hi Brendan, I was completely unaware of this history and did indeed think that this was a newly opened hole. I'm very pleased to find that it isn't. I'm...
234
brendaneich
Jun 27, 2008 9:09 pm
... I reply-all'ed since Mark cc'ed me, but I was not a member of the caplet@yahoogroups.com list so the message bounced off that address. Here's the...
235
Douglas Crockford
douglascrock...
Jul 16, 2008 10:11 pm
I added setExpression to the banned method list....
236
Mike Samuel
mikesamuel
Jul 16, 2008 11:09 pm
Is that the javascript equivalent of IE's expression(...) CSS extension? If so, I'm confused. If code is getting access to a raw HTMLElement or style object,...
237
Douglas Crockford
douglascrock...
Jul 16, 2008 11:25 pm
... string to ... You're right. Never mind....
238
David-Sarah Hopwood
david.hopwood@...
Jul 17, 2008 3:30 pm
... This is a Microsoft DOM method <http://msdn.microsoft.com/en-us/library/ms531196(VS.85).aspx> <http://www.webreference.com/js/tips/000719.html>. It's...
239
Douglas Crockford
douglascrock...
Aug 12, 2008 2:04 pm
A sample ADsafe widget can be seen at http://www.adsafe.org/bats.html It plays the game of Bats....
240
Mark S. Miller
erights@...
Aug 13, 2008 9:43 pm
Not directly object-capability news, but very good news from an ocap perspective. ... From: Brendan Eich <brendan@...> Date: Wed, Aug 13, 2008 at 2:26...
241
Douglas Crockford
douglascrock...
Aug 31, 2008 12:39 am
ADsafe will now accept subscripting expressions that use the + prefix, so koda[bosonda] can be written as koda[+bosonda] instead of as ADSAFE.get(koda,...
243
marcel.laverdet
Sep 5, 2008 1:07 pm
... I'm kind of late to this (just joined this group) but this just seems like a losing battle. Trusting that a host hasn't opened themselves up to an attack...
244
Kris Zyp
kriszyp
Sep 8, 2008 4:08 pm
Of course the attack assumes that the host uses Prototype and also has an iframe on the page, but I imagine such cases aren't hard to find. There's also...
245
marcel.laverdet
Sep 8, 2008 4:35 pm
... the prototypes (of course this could simply be documented to be unsafe)? Also, the mozilla() fix function replaces value in existing slots, it doesn't seem...
246
Kris Zyp
kriszyp
Sep 8, 2008 4:48 pm
... Understood. I think the situation may be a little different for me than for the ADsafe in general, since I am focused on a Dojo-specific impl of ADsafe....
247
Douglas Crockford
douglascrock...
Sep 8, 2008 5:04 pm
... has an iframe on the ... several other ways you can ... vectors? I see you're ... that approach won't work ... I looked at the Mozilla array methods, and...
248
Kris Zyp
kriszyp
Sep 8, 2008 5:07 pm
... If there is an iframe somewhere on the page, they can leak access to it (I was able to reproduce that). Kris ... From: Douglas Crockford To:...
249
Douglas Crockford
douglascrock...
Sep 8, 2008 6:51 pm
... Thanks, Marcel, that was really helpful. ADsafe's mozilla function is now conditioned on the existence of slots for concat, filter, map, reverse, slice,...
... These vulnerabilities were first pointed out by Jeff Walden and Eli Friedman, then interns at Mozilla, in August 2007. Jeff wrote back then in reply to...
252
Douglas Crockford
douglascrock...
Sep 8, 2008 8:06 pm
... Thanks. ADsafe is now wrapping concat every filter forEach map reduce reduceRight reverse slice some sort....
253
Douglas Crockford
douglascrock...
Oct 8, 2008 5:18 pm
There is another ADsafe demonstration widget at http://adsafe.org/sudoku.html...
254
Ben Laurie
benlaurie2000
Oct 8, 2008 5:49 pm
... Doesn't seem to work correctly in Chrome (for example, no play button). -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no...
255
Alan Karp
alanhkarp
Oct 8, 2008 9:59 pm
Works for me in Chrome. -- Alan Karp...
256
Bill Frantz
frantz@...
Oct 8, 2008 11:31 pm
... Seems to work on Safari. Cheers - Bill ... Bill Frantz |"We used to quip that "password"; is the most common 408-356-8506 | password. Now it's...
257
Ben Laurie
benlaurie2000
Oct 9, 2008 8:41 am
... Hmm. On second attempt it worked for me, too. Odd. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man...
258
Alan Karp
alanhkarp
Oct 9, 2008 3:15 pm
I've noticed that Chrome gets addled if it's been open for many days. This morning mine lost its ability to talk to the network, but I've seen other symptoms....
259
Douglas Crockford
douglascrock...
Oct 23, 2008 6:02 pm
I implemented PPK's focus hack (http://www.quirksmode.org/blog/archives/2008/04/delegating_the.html) in ADsafe, so focus and blur events may now be delegated....
260
marcel.laverdet
Oct 25, 2008 12:41 am
Live Labs has released a public preview of their Javascript sandbox. http://websandbox.livelabs.com/ See the clock sample: ...
261
Mark S. Miller
erights@...
Nov 6, 2008 10:34 pm
The EcmaScript 3.1 draft standard is rapidly congealing towards an official standard. The Kona version at < ...
262
Douglas Crockford
douglascrock...
Jan 3, 2009 4:59 pm
I added another sample page. This one shows two simple widgets that coexist. http://adsafe.org/roman.html...
