Hi, Mr. Eich. I'm on the Caja team here at Google; I'm pretty sure
you're familiar with our goals and our approach through discussions
with Mark Miller. We've pretty much succeeded in virtualizing
JavaScript within web pages; the one place we're failing is with
Flash's interaction with the page via the ExternalInterface class.
At the moment, a page author has only an on/off switch--a Flash
program can either control the page completely or not at all--while
the Flash author has fine-grained control, since he can specify
exactly which ActionScript methods JavaScript code in the page is
allowed to call. We'd like to make the situation more symmetric; we'd
like to be able to specify exactly which JavaScript functions are
visible to the ActionScript code. We've made a proposal to Adobe that
would allow us to do that.
However, it was pointed out to me that it's really not Adobe's
responsibility to protect the page's interests; if we think of the
list of allowed functions as a security policy for a firewall, Adobe
is properly running its own, while the browser has none. I assume
that the Flash player is doing something like
JS_EvaluateScript(cx, global, script, strlen(script),
filename, lineno, &rval);
The JS_EvaluateScript function is effectively granting Flash code the
authority to execute the "eval" function. However, if this function
*literally* invoked "eval" on the provided script, then a page author
could rebind that symbol to a less powerful definition, constraining
the authority of Flash code to cause changes to the page.
Would you support such a change to the way Mozilla interacts with plugins?
--
Mike Stay - [email protected]
http://math.ucr.edu/~mike
http://reperiendi.wordpress.com
