On Mon, Nov 5, 2012 at 2:35 PM, Andrea Giammarchi
andrea.giammar...@gmail.com wrote:
my point on namespaces was this one: everyone want's to use jQuery, then
underscore, then this or that ... then you need to be able to modify the
white list.
Thanks for the clarification. jQuery and much
Irakli Gozalishvili wrote:
Hi,
I keep running into cases where I would like to know if function is
pure. Although my interpretation of pure is not quite right but I don't
know any better name. By pure in this context I would refer to functions
that don't access an out scope variables and
I see security problems all over ... you own your function, you can make it
pure or serializable ... you don't know your function, I believe there's
no way you want that unknown function to be executed in your own sandbox
opening doors for any sort of attack, i.e. ... this is pure, no outer scope
Le 05/11/2012 22:11, Andrea Giammarchi a écrit :
I see security problems all over ... you own your function, you can
make it pure or serializable ... you don't know your function, I
believe there's no way you want that unknown function to be executed
in your own sandbox opening doors for any
I was doing that manually with Elsewhere but you have to know your code. I
don't see a reasonable way to trust external one unless a mechanism to flag
that unserialize as not trusted and keep that in mind per each function
execution ( something like dealing with images in canvas then try to
On Mon, Nov 5, 2012 at 11:52 AM, Irakli Gozalishvili rfo...@gmail.comwrote:
Hi,
I keep running into cases where I would like to know if function is pure.
Although my interpretation of pure is not quite right but I don't know any
better name. By pure in this context I would refer to
I think closed strict function is adequate for these purposes. By
closed though, we need only mean except for the whitelisted globals,
using the whitelist at
http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/whitelist.js
as updated for ES6.
On Mon, Nov 5, 2012 at
On Mon, Nov 5, 2012 at 1:11 PM, Andrea Giammarchi
andrea.giammar...@gmail.com wrote:
I see security problems all over ... you own your function, you can make
it pure or serializable ... you don't know your function, I believe
there's no way you want that unknown function to be executed in
not sure I follow the single thread part which I believe isn't bringing
anything new here or maybe I have missed the point.
What I am saying is that only via that SES thing, or similar parsers, you
might add security but I wonder if the Function, as far as I can tell being
allowed, is able to
On Mon, Nov 5, 2012 at 2:22 PM, Andrea Giammarchi
andrea.giammar...@gmail.com wrote:
not sure I follow the single thread part which I believe isn't bringing
anything new here or maybe I have missed the point.
My point was only that, in SES, the attack you showed is only an attack on
On Mon, Nov 5, 2012 at 2:22 PM, Andrea Giammarchi
andrea.giammar...@gmail.com wrote:
not sure I follow the single thread part which I believe isn't bringing
anything new here or maybe I have missed the point.
What I am saying is that only via that SES thing, or similar parsers,
you might
my point on namespaces was this one: everyone want's to use jQuery, then
underscore, then this or that ... then you need to be able to modify the
white list.
On Mon, Nov 5, 2012 at 2:28 PM, Mark S. Miller erig...@google.com wrote:
On Mon, Nov 5, 2012 at 2:22 PM, Andrea Giammarchi
that wants ...
On Mon, Nov 5, 2012 at 2:35 PM, Andrea Giammarchi
andrea.giammar...@gmail.com wrote:
my point on namespaces was this one: everyone want's to use jQuery, then
underscore, then this or that ... then you need to be able to modify the
white list.
On Mon, Nov 5, 2012 at 2:28
13 matches
Mail list logo