... I'm kind of late to this (just joined this group) but this just seems like a losing battle. Trusting that a host hasn't opened themselves up to an attack...
Of course the attack assumes that the host uses Prototype and also has an iframe on the page, but I imagine such cases aren't hard to find. There's also...
... the prototypes (of course this could simply be documented to be unsafe)? Also, the mozilla() fix function replaces value in existing slots, it doesn't seem...
... Understood. I think the situation may be a little different for me than for the ADsafe in general, since I am focused on a Dojo-specific impl of ADsafe....
... has an iframe on the ... several other ways you can ... vectors? I see you're ... that approach won't work ... I looked at the Mozilla array methods, and...
... Thanks, Marcel, that was really helpful. ADsafe's mozilla function is now conditioned on the existence of slots for concat, filter, map, reverse, slice,...
... These vulnerabilities were first pointed out by Jeff Walden and Eli Friedman, then interns at Mozilla, in August 2007. Jeff wrote back then in reply to...
... Doesn't seem to work correctly in Chrome (for example, no play button). -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no...
I've noticed that Chrome gets addled if it's been open for many days. This morning mine lost its ability to talk to the network, but I've seen other symptoms....
I implemented PPK's focus hack (http://www.quirksmode.org/blog/archives/2008/04/delegating_the.html) in ADsafe, so focus and blur events may now be delegated....
The w3c Technical Architecture Group (TAG) discuss ocaps for the web starting at http://www.w3.org/2001/tag/2008/12/10-minutes#item03 teaser sample: 'DO: SW...
... For me, the highlight was, "Crockford says add a switch in Firefox to disable non-adSafe ads". If this feature gets adopted, and used, we'll see an...
Bill Frantz
frantz@...
Jan 5, 2009 10:35 pm
265
At the end of the minutes, it looks like the TAG is casting about for a next step. One useful step would be to consider amending the web-arch document's...
http://apps.yahoo.com/-yNmsEV4q/ I'm "ocap capo". It (and therefore Caja) also work on an iPhone. Thanks to the Yahoo! and Zynga folks! -- Cheers, --MarkM...
Mark S. Miller
erights@...
Jan 6, 2009 2:35 am
267
This is announcement of the call for papers for the third in a series of successful workshops on topics related to security and privacy for Web 2.0. This...
At http://wiki.ecmascript.org/doku.php?id=ses:ses_proposal_working_draft is posted a very rough first draft for a "Secure ECMAScript" standard, derived from...
... Hash: SHA1 Do you have an overview of the differences between SES and ES3.1 (or maybe it is easier to define the differences between SES and Cajita)? I see...
... Three synergies between ES3.1 strict and SES: * Better target: Easy to translate SES to ES3.1-strict * Better source: Easier to translate ES3.1-strict to...
Mark S. Miller
erights@...
Jan 25, 2009 6:55 am
271
Consider the following JavaScript source: [ /[/]/ /foo]/ + bar According to the ES3 spec, this is interpreted as: [ new RegExp("[") ] / new RegExp("foo]") +...
David-Sarah Hopwood
david.hopwood@...
Feb 9, 2009 5:16 pm
272
From what I remember this started out as a bug in IE and then Firefox followed suit for compatibility which left the other browsers with no choice. I can't...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
