Hello,
I am a student of computer science and want to implement a "jail" for
java-script or at least gather some information how one could do that.
The idea is not new. Brandon Eich had it before.
So the idea is to tell the browser: do not execute java-script within
this area, although the domain where that code comes from is allowed
to execute java-script outside such specific areas.
<jail id="someHash">
code here
</jail id="someHash">
My questions are the following:
1. Are there any plans of implementing stuff like this in Google
Chrome or WebKit in general? Please note that there is a difference
compared to the approach of Mozilla called Content Security Policy.
2. How difficult would that be? I imagine a procedure like this:
- parse the HTML Document
- cut out the peaces wrapped by jail tags
- hand the rest to the java-script engine
- take the output of the engine and reinsert the clipped parts
But what about the "dynamic"part? What if a link element within a jail
tag contains code like <a onclick="alert('onClick!')" title="">click
me</a>? Would that be invisible to the java-script engine because it
was not "registered"?
Mathias Wagner
--
Chromium Discussion mailing list: [email protected]
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-discuss
