Hi folks, Joel was playing around with ADsafe today and noticed that the verifier seems to be broken at the moment. For example, this widget passes the...
I slimmed down the ADsafe banned list. These are the names of members that may not be accessed. This list is now: arguments callee caller constructor eval ...
This workshop may be of interest to subscribers of this mailing list Web 2.0 Security & Privacy 2009 Claremont Resort in Oakland, California May 21, 2009 ...
Doug, Do you know whether you will have time in the next few days (before March 25) to review a few of the papers submitted to W2SP this year? There are a few...
I added +tagName to the ADsafe query language. It selects the immediate sibling, so dom.q("h1+p") selects all of the <p> that immediately follow an <h1>....
This is announcement of the call for papers for the third in a series of successful workshops on topics related to security and privacy for Web 2.0. This...
Suppose that S is a Unicode string in which each character matches ValidChar below, not containing the subsequences "<!", "</" or "]]>", and not containing...
Consider the following JavaScript source: [ /[/]/ /foo]/ + bar According to the ES3 spec, this is interpreted as: [ new RegExp("[") ] / new RegExp("foo]") +...
At http://wiki.ecmascript.org/doku.php?id=ses:ses_proposal_working_draft is posted a very rough first draft for a "Secure ECMAScript" standard, derived from...
This is announcement of the call for papers for the third in a series of successful workshops on topics related to security and privacy for Web 2.0. This...
http://apps.yahoo.com/-yNmsEV4q/ I'm "ocap capo". It (and therefore Caja) also work on an iPhone. Thanks to the Yahoo! and Zynga folks! -- Cheers, --MarkM...
The w3c Technical Architecture Group (TAG) discuss ocaps for the web starting at http://www.w3.org/2001/tag/2008/12/10-minutes#item03 teaser sample: 'DO: SW...
I implemented PPK's focus hack (http://www.quirksmode.org/blog/archives/2008/04/delegating_the.html) in ADsafe, so focus and blur events may now be delegated....
ADsafe will block the bind method. The bind method proposed for ES3.1 is safe, but the bind methods provided by the current Ajax libraries are not because they...
ADsafe will now accept subscripting expressions that use the + prefix, so koda[bosonda] can be written as koda[+bosonda] instead of as ADSAFE.get(koda,...
Not directly object-capability news, but very good news from an ocap perspective. ... From: Brendan Eich <brendan@...> Date: Wed, Aug 13, 2008 at 2:26...
On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich ... Wow. No, we had no idea. I admit that I am shocked that the one tight encapsulation mechanism in...
I created a safe option in JSLint for checking the safe subset. The adsafe option assumes the safe option, and additionally checks for ADsafe widget...
I am developing an Ajax library for ADsafe. It applies a capability discipline to the dom tree, blocking access to parents and siblings. It wraps collections...
Recently I have been working on a new project, dojox.secure, to add a secure mechanism to Dojo for loading and executing untrusted code and widgets, and I...
I have been investigating an idea for a secure cross-site transport. It seems unlikely that no one has done anything like this before, but I can't find any...
I relaxed some of the restrictions on the get method. It still requires that the object is in fact an object (and not a function), but it allows the returning...
ADsafe now allows long dot expressions that refine the allowed global variables. So ADSAFE.koda.bosanda.bosoya.tikki.ottobo(); is now acceptable. JSLint's UI...
