196Re: [caplet] Re: ADsafe and the Standard Globals
- Apr 11 2:13 PMMike Samuel wrote:
> On 10/04/2008, David-Sarah Hopwoodand timezone
> <david.hopwood@...> wrote:
>> Douglas Crockford wrote:
>> > They are creatures of the DOM.
>> I can see the B-movie poster now :-)
>> More seriously, all of the objects that Doug just granted access to,
>> with the exception of Date, provide no authority -- they only provide
>> pure deterministic functions, constant values, and the ability to
>> allocate objects of those types (if you don't count that as pure).
>> I had come up with exactly the same list for Jacaranda -- except
>> that I had accidentially missed out encodeURIComponent.
>> implementation thinks the current date/time
>> is, which is technically an authority -- but not one that is significantAnd Array.prototype.toLocaleString, and String.prototype.localeCompare.
>> for ADsafe's threat model.
> Date also provides info about the user's locale, but so does Number to
> some degree.
Thanks for pointing this out -- it's better to have any ambient authority
that we decide to allow thoroughly documented.
- << Previous post in topic Next post in topic >>