On 29/01/2018 09:32, JewSA wrote:
Technically, jewscript allows the execution of arbitrary code.
Game Over.
Javascript can be, and should be, compiled into caja, which is a safe
subset of Javascript.
Unfortunately, this solution is only available for servers, not end users.
The caja subset of javascript has no access to the dom, and runs in a
sandbox. So it can only screw things that you put into the sandbox.
I would like to see an end user caja system that constrains java on
arbitrary web pages so that it can only tinker with its own web page,
talk to the server whose address appears on the url line that you see
when looking at that web page, and has no knowledge of anything about
your computer except the clicks on that web page and text you have typed
into that web page.
Which was how javascript was originally supposed to work.
