2009/3/27 Matthew Toseland <[email protected]>:
> On Thursday 26 March 2009 15:26:19 Daniel Cheng wrote:
>> On Thu, Mar 26, 2009 at 9:47 PM, M <[email protected]> wrote:
>> > I understand that javascript has to be disabled because of the
>> > multitude of security holes it could open up. I was wondering if anyone
>> > had ever thought about a freenetscript similar to how facebook
>> > implemented FBML and FBJS to allow developers lots of scope for
>> > functionality whilst stopping phishing attacks.
>>
>> I did propose something similar in the past.
>> But some developers think it is far better to have a JavaScript
> parser/filter.
>> -- a "good" one, not a "complete" one. .
>> [it can not be comepleted, for it is a proven equivalent to the halting
> problem]
>
> Not true. Only a filter which cannot modify code is equivalent to the halting
> problem. A filter which can modify code and insert guard functions is quite
> feasible: it does not need to know what the long-term behaviour of the code
> is, it just needs to know that the function for e.g. HTML insertion will
> always be fed through our HTML filtering.
Either we have to code a HTML filter in javascript,
call back to server, or we end up with something too tight.
Doing this in *static* context is *undecidable* in tuning machine.
Attempt to do this would confuse the user :
-- programmer always want something predictable.
-- the user may spend hours inserting a freesite and end up with
something doesn't work ....
> Having said that, there are various
> subtle attacks which it may not be possible to exclude completely without
> some fairly extreme measures (e.g. not allowing scripts to insert).
>
> Also I don't recall a proposal for a flexible scripting subset, iirc we were
> talking about recipes...
Long time ago,
I have proposed a very small defined javascript subset with helper functions
(just if-then-else, while, with a few functions no access to dom
object directly, etc)
This subset have to be predictable -- that is the developer
should know if it will work without actually go though the filter.
>> > The FreenetScript could be parsed by FProxy and turned into regular
>> > javascript with freenet-only links.
_______________________________________________
Devl mailing list
[email protected]
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
