I added setExpression to the banned method list....
236
Mike Samuel
mikesamuel
Jul 16, 2008 11:09 pm
Is that the javascript equivalent of IE's expression(...) CSS extension? If so, I'm confused. If code is getting access to a raw HTMLElement or style object,...
237
Douglas Crockford
douglascrock...
Jul 16, 2008 11:25 pm
... string to ... You're right. Never mind....
238
David-Sarah Hopwood
david.hopwood@...
Jul 17, 2008 3:30 pm
... This is a Microsoft DOM method <http://msdn.microsoft.com/en-us/library/ms531196(VS.85).aspx> <http://www.webreference.com/js/tips/000719.html>. It's...
239
Douglas Crockford
douglascrock...
Aug 12, 2008 2:04 pm
A sample ADsafe widget can be seen at http://www.adsafe.org/bats.html It plays the game of Bats....
240
Mark S. Miller
erights@...
Aug 13, 2008 9:43 pm
Not directly object-capability news, but very good news from an ocap perspective. ... From: Brendan Eich <brendan@...> Date: Wed, Aug 13, 2008 at 2:26...
241
Douglas Crockford
douglascrock...
Aug 31, 2008 12:39 am
ADsafe will now accept subscripting expressions that use the + prefix, so koda[bosonda] can be written as koda[+bosonda] instead of as ADSAFE.get(koda,...
243
marcel.laverdet
Sep 5, 2008 1:07 pm
... I'm kind of late to this (just joined this group) but this just seems like a losing battle. Trusting that a host hasn't opened themselves up to an attack...
244
Kris Zyp
kriszyp
Sep 8, 2008 4:08 pm
Of course the attack assumes that the host uses Prototype and also has an iframe on the page, but I imagine such cases aren't hard to find. There's also...
245
marcel.laverdet
Sep 8, 2008 4:35 pm
... the prototypes (of course this could simply be documented to be unsafe)? Also, the mozilla() fix function replaces value in existing slots, it doesn't seem...
246
Kris Zyp
kriszyp
Sep 8, 2008 4:48 pm
... Understood. I think the situation may be a little different for me than for the ADsafe in general, since I am focused on a Dojo-specific impl of ADsafe....
247
Douglas Crockford
douglascrock...
Sep 8, 2008 5:04 pm
... has an iframe on the ... several other ways you can ... vectors? I see you're ... that approach won't work ... I looked at the Mozilla array methods, and...
248
Kris Zyp
kriszyp
Sep 8, 2008 5:07 pm
... If there is an iframe somewhere on the page, they can leak access to it (I was able to reproduce that). Kris ... From: Douglas Crockford To:...
249
Douglas Crockford
douglascrock...
Sep 8, 2008 6:51 pm
... Thanks, Marcel, that was really helpful. ADsafe's mozilla function is now conditioned on the existence of slots for concat, filter, map, reverse, slice,...
... These vulnerabilities were first pointed out by Jeff Walden and Eli Friedman, then interns at Mozilla, in August 2007. Jeff wrote back then in reply to...
252
Douglas Crockford
douglascrock...
Sep 8, 2008 8:06 pm
... Thanks. ADsafe is now wrapping concat every filter forEach map reduce reduceRight reverse slice some sort....
253
Douglas Crockford
douglascrock...
Oct 8, 2008 5:18 pm
There is another ADsafe demonstration widget at http://adsafe.org/sudoku.html...
254
Ben Laurie
benlaurie2000
Oct 8, 2008 5:49 pm
... Doesn't seem to work correctly in Chrome (for example, no play button). -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no...
255
Alan Karp
alanhkarp
Oct 8, 2008 9:59 pm
Works for me in Chrome. -- Alan Karp...
256
Bill Frantz
frantz@...
Oct 8, 2008 11:31 pm
... Seems to work on Safari. Cheers - Bill ... Bill Frantz |"We used to quip that "password"; is the most common 408-356-8506 | password. Now it's...
257
Ben Laurie
benlaurie2000
Oct 9, 2008 8:41 am
... Hmm. On second attempt it worked for me, too. Odd. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man...
258
Alan Karp
alanhkarp
Oct 9, 2008 3:15 pm
I've noticed that Chrome gets addled if it's been open for many days. This morning mine lost its ability to talk to the network, but I've seen other symptoms....
259
Douglas Crockford
douglascrock...
Oct 23, 2008 6:02 pm
I implemented PPK's focus hack (http://www.quirksmode.org/blog/archives/2008/04/delegating_the.html) in ADsafe, so focus and blur events may now be delegated....
260
marcel.laverdet
Oct 25, 2008 12:41 am
Live Labs has released a public preview of their Javascript sandbox. http://websandbox.livelabs.com/ See the clock sample: ...
261
Mark S. Miller
erights@...
Nov 6, 2008 10:34 pm
The EcmaScript 3.1 draft standard is rapidly congealing towards an official standard. The Kona version at < ...
262
Douglas Crockford
douglascrock...
Jan 3, 2009 4:59 pm
I added another sample page. This one shows two simple widgets that coexist. http://adsafe.org/roman.html...
263
Mark Miller
capsecure
Jan 5, 2009 9:14 pm
The w3c Technical Architecture Group (TAG) discuss ocaps for the web starting at http://www.w3.org/2001/tag/2008/12/10-minutes#item03 teaser sample: 'DO: SW...
264
Bill Frantz
frantz@...
Jan 5, 2009 10:35 pm
... For me, the highlight was, "Crockford says add a switch in Firefox to disable non-adSafe ads". If this feature gets adopted, and used, we'll see an...
265
Tyler Close
tjclose
Jan 6, 2009 12:17 am
At the end of the minutes, it looks like the TAG is casting about for a next step. One useful step would be to consider amending the web-arch document's...
