On Mon, Jan 4, 2010 at 6:09 AM, Mathias Wagner <wolfsb...@googlemail.com> wrote: > Hello, > > I am a student of computer science and want to implement a "jail" for > java-script or at least gather some information how one could do > that. > The idea is not new. Brandon Eich had it before. > So the idea is to tell the browser: do not execute java-script within > this area, although the domain where that code comes from is allowed > to execute java-script outside such specific areas. > > <html> > ... > here javascript allowed > > <jail id="someHash"> > code here > ... > no javascript allowed > </jail id="someHash"> > ... > </html> > > > My questions are the following: > > 1. Are there any plans of implementing stuff like this in Google > Chrome or WebKit in general? Please note that there is a difference > compared to the approach of Mozilla called Content Security Policy.
http://old.nabble.com/innerStaticHTML-td26506964.html sounds like something similar. > 2. How difficult would that be? I imagine a procedure like this: > - parse the HTML Document > - cut out the peaces wrapped by jail tags > - hand the rest to the java-script engine > - take the output of the engine and reinsert the clipped parts > > But what about the "dynamic"part? What if a link element within a > jail > tag contains code like <a onclick="alert('onClick!')" title="">click > me</a>? Would that be invisible to the java-script engine because it > was not "registered" when it is within a jail tag? > > And is there any kind of architecture picture of Chrome/Chromium? I > imagine a simple image with the different modules and how they > interact. Thanks a lot. > > Mathias Wagner > > -- > Chromium Developers mailing list: chromium-dev@googlegroups.com > View archives, change email options, or unsubscribe: > http://groups.google.com/group/chromium-dev > -- Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev
