On Dec 11, 3:16 am, Attila Szegedi <[EMAIL PROTECTED]> wrote: > Hi there, > > I'll take a shot, as the party guilty of bringing > PolicySecurityController into existence... > > As far as the PolicySecurityController and the policy file are > concerned, I think you're doing it completely correctly. That's the > way to do it -- you gave all permissions to the code you trust, and no > permissions to other code. Writing to System.out is however never > subject to a security check. > > If you want to disallow access to java.* Packages.* etc, just remove > them from the scope after you invoked initStandardObjects() > > It's very late here and I'm barely awake right now, so I won't > elaborate further at the moment -- if you'd need further information, > please shout and I'll try to follow up tomorrow. > > Attila. > > -- > home:http://www.szegedi.org > twitter:http://twitter.com/szegedi > weblog:http://constc.blogspot.com >
That's progress, I suppose. :-) My instinct tells me that what I should do, then, is do initStandardObjects() and then iterate over all symbols in the scope, removing (using Scriptable.delete() if that guess isn't wrong) any that don't appear in, for example, the Standard Objects list (<https:// developer.mozilla.org/en/ Core_JavaScript_1.5_Reference#Standard_global_objects>) instead of specifically removing java, Packages, sun, and so forth, because I'm paranoid like that... Is there any straightforward way to voluntarily forbid actions that would normally pass unchecked, like the aforementioned stdio? In any case, thanks a zillion; I think I can begin to move forward to the next roadblock. danx dro _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
