The w3c Technical Architecture Group (TAG) discuss ocaps for the web starting at http://www.w3.org/2001/tag/2008/12/10-minutes#item03 teaser sample: 'DO: SW...
... For me, the highlight was, "Crockford says add a switch in Firefox to disable non-adSafe ads". If this feature gets adopted, and used, we'll see an...
Bill Frantz
frantz@...
Jan 5, 2009 10:35 pm
265
At the end of the minutes, it looks like the TAG is casting about for a next step. One useful step would be to consider amending the web-arch document's...
http://apps.yahoo.com/-yNmsEV4q/ I'm "ocap capo". It (and therefore Caja) also work on an iPhone. Thanks to the Yahoo! and Zynga folks! -- Cheers, --MarkM...
Mark S. Miller
erights@...
Jan 6, 2009 2:35 am
267
This is announcement of the call for papers for the third in a series of successful workshops on topics related to security and privacy for Web 2.0. This...
At http://wiki.ecmascript.org/doku.php?id=ses:ses_proposal_working_draft is posted a very rough first draft for a "Secure ECMAScript" standard, derived from...
... Hash: SHA1 Do you have an overview of the differences between SES and ES3.1 (or maybe it is easier to define the differences between SES and Cajita)? I see...
... Three synergies between ES3.1 strict and SES: * Better target: Easy to translate SES to ES3.1-strict * Better source: Easier to translate ES3.1-strict to...
Mark S. Miller
erights@...
Jan 25, 2009 6:55 am
271
Consider the following JavaScript source: [ /[/]/ /foo]/ + bar According to the ES3 spec, this is interpreted as: [ new RegExp("[") ] / new RegExp("foo]") +...
David-Sarah Hopwood
david.hopwood@...
Feb 9, 2009 5:16 pm
272
From what I remember this started out as a bug in IE and then Firefox followed suit for compatibility which left the other browsers with no choice. I can't...
... No, other browsers followed suit first. ... https://bugzilla.mozilla.org/show_bug.cgi?id=309840 Quoting from comment 0: Description From Jesse Ruderman...
... ADsafe rejects [ /[/]/ /foo]/ + bar. Just because ECMAScript says its ok doesn't mean that ADsafe must. ADsafe insists that all internal / must have \....
No need to apologize, and I did not aim to blame Opera or Safari in citing the record. This was not a situation where anyone fielding a browser compatible...
... I could, if I knew that there were no more bugs like this. Note that lexical confusion attacks of this kind can easily be turned into complete breaks of a...
David-Sarah Hopwood
david.hopwood@...
Feb 10, 2009 2:12 pm
279
... <https://bugzilla.mozilla.org/show_bug.cgi?id=309840#c12> # This fixes a highly dup'ed IE compatibility bug. It's an extension # to ECMA syntax that's...
David-Sarah Hopwood
david.hopwood@...
Feb 10, 2009 2:34 pm
280
... I'm confused -- how does it know that the middle '/' in "/[/]/" is "internal"? Is it lexing according to the intersection of Pattern from section 15.10.1,...
David-Sarah Hopwood
david.hopwood@...
Feb 10, 2009 2:44 pm
281
... You're right, but so what? The IE bug and monopoly combined to create a de-facto standard. Appealing to the de-jure standard does you no good, and...
... Plenty. But I suspect you know of them. There's conditional compilation comments /* @cc_on */, and there's the newlines in block comments thing return /*...
... Fixed in Firefox 3.1 beta nightlies: https://bugzilla.mozilla.org/show_bug.cgi?id=475834 We could push the fix back into a 3.0.x maintenance release if it ...
Suppose that S is a Unicode string in which each character matches ValidChar below, not containing the subsequences "<!", "</" or "]]>", and not containing...
David-Sarah Hopwood
david.hopwood@...
Feb 16, 2009 3:16 pm
285
No, I'm not paranoid enough yet. It's not sufficient only to say that the HTML is encoded as UTF-8 (see below). David-Sarah Hopwood wrote: [...] ... I meant,...
David-Sarah Hopwood
david.hopwood@...
Feb 16, 2009 4:29 pm
286
2009/2/16 David-Sarah Hopwood <david.hopwood@...> ... So no surrogates? ... Why include FFEF? ... You may still be subject to encoding...
... Correct. They're not characters (or even "noncharacters"). ... It's unassigned, and there's no particular reason to exclude it. (\uFFF0-\uFFF8 are also...
David-Sarah Hopwood
david.hopwood@...
Feb 17, 2009 11:13 am
288
... Isn't it the reflection of fffe, the byte-order-marker. This is probably a very minor issue, but if one part of a parser naively delegates to another...
... [...] ... No, \uFEFF is the BOM, and its byte-reflection \uFFFE is a noncharacter, so already excluded from ValidChar. (Thought you'd spotted something I'd...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
