Hello,
I am a student of computer science and want to implement a "jail" for
java-script or at least gather some information how one could do
that.
The idea is not new. Brandon Eich had it before.
So the idea is to tell the browser: do not execute java-script within
this area, although the domain where that code comes from is allowed
to execute java-script outside such specific areas.
<html>
...
here javascript allowed
<jail id="someHash">
code here
...
no javascript allowed
</jail id="someHash">
...
</html>
My questions are the following:
1. Are there any plans of implementing stuff like this in Google
Chrome or WebKit in general? Please note that there is a difference
compared to the approach of Mozilla called Content Security Policy.
2. How difficult would that be? I imagine a procedure like this:
- parse the HTML Document
- cut out the peaces wrapped by jail tags
- hand the rest to the java-script engine
- take the output of the engine and reinsert the clipped parts
But what about the "dynamic"part? What if a link element within a
jail
tag contains code like <a onclick="alert('onClick!')" title="">click
me</a>? Would that be invisible to the java-script engine because it
was not "registered" when it is within a jail tag?
And is there any kind of architecture picture of Chrome/Chromium? I
imagine a simple image with the different modules and how they
interact. Thanks a lot.
Mathias Wagner
--
Chromium Developers mailing list: chromium-dev@googlegroups.com
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-dev
