Loading ...
Sorry, an error occurred while loading the content.

ADsafe and the Standard Globals

Expand Messages
  • Douglas Crockford
    I am relaxing ADsafe to allow access to these standard globals: Array Boolean Date decodeURI decodeURIComponent encodeURI encodeURIComponent Error escape
    Message 1 of 15 , Apr 9, 2008
    • 0 Attachment
      I am relaxing ADsafe to allow access to these standard globals:

      Array Boolean Date decodeURI decodeURIComponent encodeURI
      encodeURIComponent Error escape EvalError isFinite isNaN
      Math Number Object parseInt parseFloat RangeError
      ReferenceError RegExp String SyntaxError TypeError unescape
      URIError

      Access to the globals eval and Function are still not allowed, no way
      no how.

      Access is limited the same way as the ADSAFE object, in that only
      invocation of functions is allowed. These operations are not allowed:

      o = Object;
      o = Object.foo;
      Object = null;
      Object.foo = null;

      Functions may be invoked:

      Object();
      Object.foo();

      Values may be obtain only for these member names:

      E LN2 LN10 LOG2E LOG10E PI SQRT1_2 SQRT2 MAX_VALUE MIN_VALUE
      NEGATIVE_INFINITY POSITIVE_INFINITY

      so

      Object.PI

      is allowed.
    • Mike Samuel
      ... Is it really worth including {,un}escape in light of http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ? Is it a goal to support older versions
      Message 2 of 15 , Apr 9, 2008
      • 0 Attachment
        On 09/04/2008, Douglas Crockford <douglas@...> wrote:
        >
        >
        >
        >
        >
        >
        > I am relaxing ADsafe to allow access to these standard globals:
        >
        > Array Boolean Date decodeURI decodeURIComponent encodeURI
        > encodeURIComponent Error escape EvalError isFinite isNaN
        > Math Number Object parseInt parseFloat RangeError
        > ReferenceError RegExp String SyntaxError TypeError unescape
        > URIError

        Is it really worth including {,un}escape in light of
        http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ?
        Is it a goal to support older versions of JS that don't have
        {de,en}codeURIComponent?



        > Access to the globals eval and Function are still not allowed, no way
        > no how.
        >
        > Access is limited the same way as the ADSAFE object, in that only
        > invocation of functions is allowed. These operations are not allowed:
        >
        > o = Object;
        > o = Object.foo;
        > Object = null;
        > Object.foo = null;

        Is RegExp.$1 is not allowed? If so, it may leak information from the
        last match performed by privileged code.


        > Functions may be invoked:
        >
        > Object();
        > Object.foo();
        >
        > Values may be obtain only for these member names:
        >
        > E LN2 LN10 LOG2E LOG10E PI SQRT1_2 SQRT2 MAX_VALUE MIN_VALUE
        > NEGATIVE_INFINITY POSITIVE_INFINITY
        >
        > so
        >
        > Object.PI
        >
        > is allowed.
      • Kris Zyp
        ... No confirm, alert, or prompt? Preventing annoyance exploits? ;) Or is there another exploit I am not aware of? Kris ... From: Douglas Crockford To:
        Message 3 of 15 , Apr 9, 2008
        • 0 Attachment
          > Array Boolean Date decodeURI decodeURIComponent encodeURI
          >
          encodeURIComponent Error escape EvalError isFinite isNaN
          > Math Number
          Object parseInt parseFloat RangeError
          > ReferenceError RegExp String
          SyntaxError TypeError unescape
          > URIError
          No confirm, alert, or prompt? Preventing annoyance exploits? ;) Or is there another exploit I am not aware of?
          Kris
           
           
           
          ----- Original Message -----
          Sent: Wednesday, April 09, 2008 5:48 PM
          Subject: [caplet] ADsafe and the Standard Globals

          I am relaxing ADsafe to allow access to these standard globals:

          Array Boolean Date decodeURI decodeURIComponent encodeURI
          encodeURIComponent Error escape EvalError isFinite isNaN
          Math Number Object parseInt parseFloat RangeError
          ReferenceError RegExp String SyntaxError TypeError unescape
          URIError

          Access to the globals eval and Function are still not allowed, no way
          no how.

          Access is limited the same way as the ADSAFE object, in that only
          invocation of functions is allowed. These operations are not allowed:

          o = Object;
          o = Object.foo;
          Object = null;
          Object.foo = null;

          Functions may be invoked:

          Object();
          Object.foo() ;

          Values may be obtain only for these member names:

          E LN2 LN10 LOG2E LOG10E PI SQRT1_2 SQRT2 MAX_VALUE MIN_VALUE
          NEGATIVE_INFINITY POSITIVE_INFINITY

          so

          Object.PI

          is allowed.

        • Douglas Crockford
          ... is there another exploit I am not aware of? Those are not standard globals. They are creatures of the DOM. Currently, ADsafe is not granting any access to
          Message 4 of 15 , Apr 10, 2008
          • 0 Attachment
            --- In caplet@yahoogroups.com, "Kris Zyp" <kris@...> wrote:

            > No confirm, alert, or prompt? Preventing annoyance exploits? ;) Or
            is there another exploit I am not aware of?

            Those are not standard globals. They are creatures of the DOM.
            Currently, ADsafe is not granting any access to the DOM. I might relax
            this later. I am relaxing with caution.
          • ♘ stay
            ... Did you mean Math.PI, or is X.PI allowed for any X? -- Mike Stay stay@google.com
            Message 5 of 15 , Apr 10, 2008
            • 0 Attachment
              On Wed, Apr 9, 2008 at 4:48 PM, Douglas Crockford <douglas@...> wrote:
              > Values may be obtain only for these member names:
              >
              > E LN2 LN10 LOG2E LOG10E PI SQRT1_2 SQRT2 MAX_VALUE MIN_VALUE
              > NEGATIVE_INFINITY POSITIVE_INFINITY
              >
              > so
              >
              > Object.PI
              >
              > is allowed.

              Did you mean Math.PI, or is X.PI allowed for any X?
              --
              Mike Stay
              stay@...
            • Douglas Crockford
              ... Yes. It is in anticipation of a decimal package of some sort.
              Message 6 of 15 , Apr 10, 2008
              • 0 Attachment
                --- In caplet@yahoogroups.com, "♘ stay" <stay@...> wrote:

                > Did you mean Math.PI, or is X.PI allowed for any X?

                Yes. It is in anticipation of a decimal package of some sort.
              • David-Sarah Hopwood
                ... I can see the B-movie poster now :-) More seriously, all of the objects that Doug just granted access to, with the exception of Date, provide no authority
                Message 7 of 15 , Apr 10, 2008
                • 0 Attachment
                  Douglas Crockford wrote:
                  > They are creatures of the DOM.

                  I can see the B-movie poster now :-)


                  More seriously, all of the objects that Doug just granted access to,
                  with the exception of Date, provide no authority -- they only provide
                  pure deterministic functions, constant values, and the ability to
                  allocate objects of those types (if you don't count that as pure).
                  I had come up with exactly the same list for Jacaranda -- except
                  that I had accidentially missed out encodeURIComponent.

                  Date is an exception just because it grants access to what the Javascript
                  implementation thinks the current date/time is, which is technically an
                  authority -- but not one that is significant for ADsafe's threat model.

                  --
                  David-Sarah Hopwood
                • Mike Samuel
                  On 10/04/2008, David-Sarah Hopwood ... Date also provides info about the user s locale, but so does Number to some degree.
                  Message 8 of 15 , Apr 10, 2008
                  • 0 Attachment
                    On 10/04/2008, David-Sarah Hopwood
                    <david.hopwood@...> wrote:
                    >
                    >
                    >
                    >
                    >
                    >
                    > Douglas Crockford wrote:
                    > > They are creatures of the DOM.
                    >
                    > I can see the B-movie poster now :-)
                    >
                    > More seriously, all of the objects that Doug just granted access to,
                    > with the exception of Date, provide no authority -- they only provide
                    > pure deterministic functions, constant values, and the ability to
                    > allocate objects of those types (if you don't count that as pure).
                    > I had come up with exactly the same list for Jacaranda -- except
                    > that I had accidentially missed out encodeURIComponent.
                    >
                    > Date is an exception just because it grants access to what the Javascript
                    > implementation thinks the current date/time is, which is technically an
                    > authority -- but not one that is significant for ADsafe's threat model.

                    Date also provides info about the user's locale, but so does Number to
                    some degree.
                  • Mark S. Miller
                    ... Currently, ADsafe is still approximately a subset of Caja. Were these added, it would cause significant breakage of the subset relationship. -- Cheers,
                    Message 9 of 15 , Apr 10, 2008
                    • 0 Attachment
                      On Wed, Apr 9, 2008 at 10:17 PM, Kris Zyp <kris@...> wrote:
                      > No confirm, alert, or prompt? Preventing annoyance exploits? ;) Or is there
                      > another exploit I am not aware of?

                      Currently, ADsafe is still approximately a subset of Caja. Were these
                      added, it would cause significant breakage of the subset relationship.

                      --
                      Cheers,
                      --MarkM
                    • David-Sarah Hopwood
                      ... and timezone ... And Array.prototype.toLocaleString, and String.prototype.localeCompare. Thanks for pointing this out -- it s better to have any ambient
                      Message 10 of 15 , Apr 11, 2008
                      • 0 Attachment
                        Mike Samuel wrote:
                        > On 10/04/2008, David-Sarah Hopwood
                        > <david.hopwood@...> wrote:
                        >> Douglas Crockford wrote:
                        >> > They are creatures of the DOM.
                        >>
                        >> I can see the B-movie poster now :-)
                        >>
                        >> More seriously, all of the objects that Doug just granted access to,
                        >> with the exception of Date, provide no authority -- they only provide
                        >> pure deterministic functions, constant values, and the ability to
                        >> allocate objects of those types (if you don't count that as pure).
                        >> I had come up with exactly the same list for Jacaranda -- except
                        >> that I had accidentially missed out encodeURIComponent.
                        >>
                        >> Date is an exception just because it grants access to what the Javascript
                        >> implementation thinks the current date/time

                        and timezone

                        >> is, which is technically an authority -- but not one that is significant
                        >> for ADsafe's threat model.
                        >
                        > Date also provides info about the user's locale, but so does Number to
                        > some degree.

                        And Array.prototype.toLocaleString, and String.prototype.localeCompare.
                        Thanks for pointing this out -- it's better to have any ambient authority
                        that we decide to allow thoroughly documented.

                        --
                        David-Sarah Hopwood
                      • Mark Miller
                        On Fri, Apr 11, 2008 at 2:13 PM, David-Sarah Hopwood ... In addition to the violations noted later in this thread, there s also Math.random(). -- Text by me
                        Message 11 of 15 , Apr 11, 2008
                        • 0 Attachment
                          On Fri, Apr 11, 2008 at 2:13 PM, David-Sarah Hopwood
                          <david.hopwood@...> wrote:
                          > >> More seriously, all of the objects that Doug just granted access to,
                          > >> with the exception of Date, provide no authority -- they only provide
                          > >> pure deterministic functions, constant values, and the ability to
                          > >> allocate objects of those types (if you don't count that as pure).

                          In addition to the violations noted later in this thread, there's also
                          Math.random().


                          --
                          Text by me above is hereby placed in the public domain

                          Cheers,
                          --MarkM
                        • Douglas Crockford
                          ... It is in the standard and it does not represent a leak. escape is not recommended for encoding URLs, but can be used for encoding values in cookies. Unless
                          Message 12 of 15 , Apr 15, 2008
                          • 0 Attachment
                            --- In caplet@yahoogroups.com, "Mike Samuel" <mikesamuel@...> wrote:
                            > > I am relaxing ADsafe to allow access to these standard globals:
                            > >
                            > > Array Boolean Date decodeURI decodeURIComponent encodeURI
                            > > encodeURIComponent Error escape EvalError isFinite isNaN
                            > > Math Number Object parseInt parseFloat RangeError
                            > > ReferenceError RegExp String SyntaxError TypeError unescape
                            > > URIError
                            >
                            > Is it really worth including {,un}escape in light of
                            > http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ?
                            > Is it a goal to support older versions of JS that don't have
                            > {de,en}codeURIComponent?

                            It is in the standard and it does not represent a leak. escape is not
                            recommended for encoding URLs, but can be used for encoding values in
                            cookies. Unless there is a stronger argument, I think it should be
                            allowed.

                            > Is RegExp.$1 is not allowed? If so, it may leak information from the
                            > last match performed by privileged code.

                            RegExp.$1 is not allowed because $1 is not the name of one of the
                            Math/Number constants.

                            RegExp['$1'] is not allowed because '$1' does not look like a
                            stringified number.

                            ADsafe.get(RegExp, '$1') is not allowed because RegExp is a function.
                          • Mike Samuel
                            ... I have no stronger argument than, in code I review, it is much more frequently misused than used properly. If the goal is to allow all innocuous ES
                            Message 13 of 15 , Apr 15, 2008
                            • 0 Attachment
                              On 15/04/2008, Douglas Crockford <douglas@...> wrote:
                              >
                              >
                              >
                              >
                              >
                              >
                              > --- In caplet@yahoogroups.com, "Mike Samuel" <mikesamuel@...> wrote:
                              > > > I am relaxing ADsafe to allow access to these standard globals:
                              > > >
                              > > > Array Boolean Date decodeURI decodeURIComponent encodeURI
                              > > > encodeURIComponent Error escape EvalError isFinite isNaN
                              > > > Math Number Object parseInt parseFloat RangeError
                              > > > ReferenceError RegExp String SyntaxError TypeError unescape
                              > > > URIError
                              > >
                              > > Is it really worth including {,un}escape in light of
                              > > http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ?
                              > > Is it a goal to support older versions of JS that don't have
                              > > {de,en}codeURIComponent?
                              >
                              > It is in the standard and it does not represent a leak. escape is not
                              > recommended for encoding URLs, but can be used for encoding values in
                              > cookies. Unless there is a stronger argument, I think it should be
                              > allowed.

                              I have no stronger argument than, in code I review, it is much more
                              frequently misused than used properly.

                              If the goal is to allow all innocuous ES built-ins, then it should be allowed.



                              > > Is RegExp.$1 is not allowed? If so, it may leak information from the
                              > > last match performed by privileged code.
                              >
                              > RegExp.$1 is not allowed because $1 is not the name of one of the
                              > Math/Number constants.
                              >
                              > RegExp['$1'] is not allowed because '$1' does not look like a
                              > stringified number.
                              >
                              > ADsafe.get(RegExp, '$1') is not allowed because RegExp is a function.

                              Cool.
                            • Mark S. Miller
                              On Tue, Apr 15, 2008 at 4:42 PM, Douglas Crockford ... I just looked. They are not in the normative part of the ES3 spec. They appear only in Annex B. (B.2.1 &
                              Message 14 of 15 , Apr 15, 2008
                              • 0 Attachment
                                On Tue, Apr 15, 2008 at 4:42 PM, Douglas Crockford
                                <douglas@...> wrote:
                                > > Is it really worth including {,un}escape in light of
                                > > http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ?
                                > > Is it a goal to support older versions of JS that don't have
                                > > {de,en}codeURIComponent?
                                >
                                > It is in the standard [...]

                                I just looked. They are not in the normative part of the ES3 spec.
                                They appear only in Annex B. (B.2.1 & B.2.2)

                                They have never appeared in the Caja whitelist, and probably never
                                will. So they are not in any of the normative supersets of ADsafe.

                                --
                                Cheers,
                                --MarkM
                              • Douglas Crockford
                                ... And they are no longer in ADsafe. JSLint will flag them in all cases.
                                Message 15 of 15 , Apr 15, 2008
                                • 0 Attachment
                                  --- In caplet@yahoogroups.com, "Mark S. Miller" <erights@...> wrote:
                                  > I just looked. They are not in the normative part of the ES3 spec.
                                  > They appear only in Annex B. (B.2.1 & B.2.2)
                                  >
                                  > They have never appeared in the Caja whitelist, and probably never
                                  > will. So they are not in any of the normative supersets of ADsafe.

                                  And they are no longer in ADsafe. JSLint will flag them in all cases.
                                Your message has been successfully submitted and would be delivered to recipients shortly.