Loading ...
Sorry, an error occurred while loading the content.

adsafe.js

Expand Messages
  • Douglas Crockford
    The first edition of adsafe.js is available at http://adsafe.org/adsafe.js. It still lacks dom wrappage and interwidget communication.
    Message 1 of 7 , Jun 3, 2008
    View Source
    • 0 Attachment
      The first edition of adsafe.js is available at
      http://adsafe.org/adsafe.js. It still lacks dom wrappage and
      interwidget communication.
    • Adam Barth
      ... Attached is a rough first draft of a safe DOM wrapper. The main idea is that untrusted script views DOM nodes simply as integer handles. To read or mutate
      Message 2 of 7 , Jun 6, 2008
      View Source
      • 0 Attachment
        On Tue, Jun 3, 2008 at 1:40 PM, Douglas Crockford <douglas@...> wrote:
        > The first edition of adsafe.js is available at
        > http://adsafe.org/adsafe.js. It still lacks dom wrappage and
        > interwidget communication.

        Attached is a rough first draft of a safe DOM wrapper. The main idea
        is that untrusted script views DOM nodes simply as integer handles.
        To read or mutate the DOM, the untrusted code passes the appropriate
        handles to the SafeDOM API, which interacts with the real DOM. The
        SafeDOM library is intended to limit the untrusted code to interacting
        only with the portion of the document tree that descends from
        root_node. Also, element creation and modification can be controlled
        by a policy, as demonstrated by the implementation of createElement.

        The attached code is completely untested. It is intended to sketch
        out an architecture for how the DOM API could be safely exposed to
        JavaScript which passes the ADsafe validator.

        Adam
      • David-Sarah Hopwood
        ... It would be easy to make the handles opaque: var nodes = []; function handleToNode(handle) { return handle.__node__; } function nodeToHandle(node) { if
        Message 3 of 7 , Jun 6, 2008
        View Source
        • 0 Attachment
          Adam Barth wrote:
          > On Tue, Jun 3, 2008 at 1:40 PM, Douglas Crockford <douglas@...> wrote:
          >> The first edition of adsafe.js is available at
          >> http://adsafe.org/adsafe.js. It still lacks dom wrappage and
          >> interwidget communication.
          >
          > Attached is a rough first draft of a safe DOM wrapper. The main idea
          > is that untrusted script views DOM nodes simply as integer handles.

          It would be easy to make the handles opaque:

          var nodes = [];

          function handleToNode(handle) {
          return handle.__node__;
          }

          function nodeToHandle(node) {
          if (!node) return null;

          // Check if we've seen this node before.
          var handle = node.__safe_dom_handle__;
          if (handleToNode(handle) === node)
          return handle;

          // Need to allocate a new handle and add it to the nodes array.
          nodes[nodes.length] = node;
          var handle = makeHandle(node);
          node.__safe_dom_handle__ = handle;
          return handle;
          }

          function makeHandle(node) {
          return {__node__: node};
          }

          function assertHandle(handle) {
          if (handle.__node__ !== void 0)
          throw INVALID_HANDLE_ERR;
          }

          [...]
          API.getElementById = function(id) {
          assertString(id);

          var n = nodes.length;
          for (var i = 0; i < n; ++i) {
          var node = nodes[i];
          if (node.getAttribute && node.getAttribute('id') === id)
          return node.__safe_dom_handle__;
          }
          return null;
          };

          This approach prevents a script from relying on the fact that you're
          implementing handles as integers. More importantly, though, it allows
          the handle objects to implement tamed DOM methods (using lexical
          encapsulation), allowing the API to look more like the original DOM:

          function makeHandle(node) {
          return {
          __node__: node,
          hasChildNodes: function () {
          return node.hasChildNodes();
          },
          getNodeType: function () {
          return node.nodeType;
          },
          getNodeName: function () {
          return node.nodeName;
          },
          getNodeValue: function () {
          return node.nodeValue;
          },
          getFirstChild: function () {
          return nodeToHandle(node.firstChild);
          },
          getLastChild: function () {
          return nodeToHandle(node.lastChild);
          },
          getNextSibling: function () {
          if (node === root_node) return null;
          return nodeToHandle(node.nextSibling);
          },
          getPreviousSibling: function () {
          if (node === root_node) return null;
          return nodeToHandle(node.parentNode);
          }
          };
          }

          (It's also possible to support properties like 'nodeValue' directly rather
          than via getter methods, but in that case mutable properties would have to
          be kept in sync whenever the underlying node changed -- unless you rely on
          Mozilla or ES3.1 property getters.)

          Note that, unlike in Caja or Jacaranda, these methods cannot refer to
          'this', because ADsafe does not prevent obtaining a property that holds
          a function and then calling it with 'this' bound to the global object.
          ADsafe also does not prevent setting arbitrary properties (unless they
          start with _ or are blacklisted), so there is no encapsulation between
          objects created by a given script, including handle objects. However,
          encapsulation is not strictly needed for ADsafe's threat model.
          Caja, Cajita and Jacaranda incur much greater implementation complexity
          (less so for Jacaranda, but still more than ADsafe) in order to support
          this encapsulation.

          --
          David-Sarah Hopwood
        • David-Sarah Hopwood
          ... I was slightly unclear here. Encapsulation of the underlying DOM node objects from the script is required; in the implementation I suggested, that is
          Message 4 of 7 , Jun 6, 2008
          View Source
          • 0 Attachment
            David-Sarah Hopwood wrote:
            > Note that, unlike in Caja or Jacaranda, these methods cannot refer to
            > 'this', because ADsafe does not prevent obtaining a property that holds
            > a function and then calling it with 'this' bound to the global object.
            > ADsafe also does not prevent setting arbitrary properties (unless they
            > start with _ or are blacklisted), so there is no encapsulation between
            > objects created by a given script, including handle objects. However,
            > encapsulation is not strictly needed for ADsafe's threat model.

            I was slightly unclear here. Encapsulation of the underlying DOM node
            objects from the script is required; in the implementation I suggested,
            that is achieved by a combination of holding the node in a property that
            starts with _, and lexical closures. Encapsulation of other properties
            of the handle objects from the script is not required: it does not matter
            that a script can replace methods of a handle object, for example.

            --
            David-Sarah Hopwood
          • David-Sarah Hopwood
            ... [...] ... [...] ... This will leak memory on IE (even after the nodes array has become unreferenced after leaving the page), because JScript s excuse for a
            Message 5 of 7 , Jun 7, 2008
            View Source
            • 0 Attachment
              David-Sarah Hopwood wrote:
              > Adam Barth wrote:
              >> On Tue, Jun 3, 2008 at 1:40 PM, Douglas Crockford
              >> <douglas@...> wrote:
              >>> The first edition of adsafe.js is available at
              >>> http://adsafe.org/adsafe.js. It still lacks dom wrappage and
              >>> interwidget communication.
              >>
              >> Attached is a rough first draft of a safe DOM wrapper. The main idea
              >> is that untrusted script views DOM nodes simply as integer handles.
              >
              > It would be easy to make the handles opaque:
              >
              [...]
              > node.__safe_dom_handle__ = handle;
              [...]
              > function makeHandle(node) {
              > return {__node__: node};
              > }

              This will leak memory on IE (even after the nodes array has become
              unreferenced after leaving the page), because JScript's excuse for a
              garbage collector cannot collect cycles that involve a DOM object.
              That problem could be fixed by having the node object store the index
              of the handle in the nodes array, rather than a reference to the handle.

              --
              David-Sarah Hopwood
            • Douglas Crockford
              I repaired some leakage in the ADsafe Ajax library. Grateful thanks to John Mitchell, Sergio Maffeis, and Ankur Taly. http://www.doc.ic.ac.uk/~maffeis/ I also
              Message 6 of 7 , Jul 31, 2009
              View Source
              • 0 Attachment
                I repaired some leakage in the ADsafe Ajax library. Grateful thanks to John Mitchell, Sergio Maffeis, and Ankur Taly. http://www.doc.ic.ac.uk/~maffeis/

                I also changed the restrictions on ADSAFE.get and ADSAFE.put. They now reject negative numbers and strings starting with '-'.
              • Douglas Crockford
                ... This produces a bunch from which all text nodes containing only whitespace are removed I added these bunch methods: .each(func) The function is called for
                Message 7 of 7 , Aug 7, 2009
                View Source
                • 0 Attachment
                  I added a new query pattern:

                  :trim

                  This produces a bunch from which all
                  text nodes containing only whitespace
                  are removed

                  I added these bunch methods:

                  .each(func)

                  The function is called for each node in
                  the bunch.

                  .title(value)

                  Set the title attribute of each node.

                  .getTitle()

                  Get the title attribute of each node.

                  I changed the way ADSAFE._intercept(func) works.
                  It is now called as a method, passing a function
                  that will be called when a new widget is started.

                  http://www.JSLint.com/ is now an ADsafe widget.
                Your message has been successfully submitted and would be delivered to recipients shortly.