Loading ...
Sorry, an error occurred while loading the content.

196Re: [caplet] Re: ADsafe and the Standard Globals

Expand Messages
  • David-Sarah Hopwood
    Apr 11 2:13 PM
    • 0 Attachment
      Mike Samuel wrote:
      > On 10/04/2008, David-Sarah Hopwood
      > <david.hopwood@...> wrote:
      >> Douglas Crockford wrote:
      >> > They are creatures of the DOM.
      >>
      >> I can see the B-movie poster now :-)
      >>
      >> More seriously, all of the objects that Doug just granted access to,
      >> with the exception of Date, provide no authority -- they only provide
      >> pure deterministic functions, constant values, and the ability to
      >> allocate objects of those types (if you don't count that as pure).
      >> I had come up with exactly the same list for Jacaranda -- except
      >> that I had accidentially missed out encodeURIComponent.
      >>
      >> Date is an exception just because it grants access to what the Javascript
      >> implementation thinks the current date/time

      and timezone

      >> is, which is technically an authority -- but not one that is significant
      >> for ADsafe's threat model.
      >
      > Date also provides info about the user's locale, but so does Number to
      > some degree.

      And Array.prototype.toLocaleString, and String.prototype.localeCompare.
      Thanks for pointing this out -- it's better to have any ambient authority
      that we decide to allow thoroughly documented.

      --
      David-Sarah Hopwood
    • Show all 15 messages in this topic