Loading ...
Sorry, an error occurred while loading the content.

227Re: [caplet] adsafe.js

Expand Messages
  • David-Sarah Hopwood
    Jun 7, 2008
      David-Sarah Hopwood wrote:
      > Adam Barth wrote:
      >> On Tue, Jun 3, 2008 at 1:40 PM, Douglas Crockford
      >> <douglas@...> wrote:
      >>> The first edition of adsafe.js is available at
      >>> http://adsafe.org/adsafe.js. It still lacks dom wrappage and
      >>> interwidget communication.
      >>
      >> Attached is a rough first draft of a safe DOM wrapper. The main idea
      >> is that untrusted script views DOM nodes simply as integer handles.
      >
      > It would be easy to make the handles opaque:
      >
      [...]
      > node.__safe_dom_handle__ = handle;
      [...]
      > function makeHandle(node) {
      > return {__node__: node};
      > }

      This will leak memory on IE (even after the nodes array has become
      unreferenced after leaving the page), because JScript's excuse for a
      garbage collector cannot collect cycles that involve a DOM object.
      That problem could be fixed by having the node object store the index
      of the handle in the nodes array, rather than a reference to the handle.

      --
      David-Sarah Hopwood
    • Show all 7 messages in this topic