Re: Growing ADsafe for larger apps?
- --- In firstname.lastname@example.org, "adam.kumpf" <adam.kumpf@...> wrote:
>The source is out there, and you are certainly welcome to adapt it. My energies are now focused on repairing ECMAScript and HTML/DOM, ultimately making ADsafe completely unnecessary.
> I've been interested in ADsafe for a few months now as a potential way to allow 3rd parts apps to work within a safe sandbox.
> However, since ADsafe fundamentally began as a sandbox for safe advertisement (which nicely extends to apps), are there specific things that you would handle differently if the focus was full-scale web applications?
> Said differently, would it be worthwhile to create a derivative framework (for example, APPsafe) specific for webapps? What would its main differences be? Or is it really all the same thing and we'd be better off just having an add-on library that provides some additional glue for hooking up rich web apps within ADsafe?
> The reason I ask is because I have found it somewhat difficult to make simple ADsafe apps that uses current web rendering/layout technologies (such as drawing to a canvas or easily animating CSS properties). I'm excited about the potential of ADsafe, but I'm not clear about its intended scale (ads, widgets, entire sites, an ADsafe browser OS, etc).
On Thu, May 27, 2010 at 5:05 PM, adam.kumpf <adam.kumpf@...> wrote:--
Mark and Mike,
This is really a great discussion -- thanks for detailing out the current state of ECMA Script 5, SES, and the overall feel of where things are going.
I'm particularly intrigued by the SES sketch < http://code.google.com/p/es-lab/source/browse/trunk/src/ses/ > work going on as it seems like a concrete step (although understandably ahead of it's needed conforming ES5 implementation) toward what SES can be.
I think showcasing the potential of what POLA/SES ECMA Script enables is an important step to getting more people excited (and subsequently more development energy and development perspectives).
What would it take to get an example together that uses initSES.js to sandbox a a couple of apps on a webpage? Could it work (at least for the most part) as ES5 Strict stands now?Hi Adam, we are tracking the ES5 implementations in progress atUnfortunately, though all of these are advancing rapidly, none of the browser-based ones have all that's needed to run initSES.js. In particular, the core of SES's security rests on Object.freeze and on the static scoping and defensible encapsulation provided by strict mode. None of the browser-based implementations provide either of these yet. But I expect they're coming soon.
For example, just having two simple text input boxes of ES5 Strict/SES code that is then dynamically loaded into subsequent divs on a webpage. Ideally, it would demonstrate limited communication between the divs while keeping private information inaccessible to the other (perhaps using the purse example, showing POLA in use). The viewer would then be invited to try to "scam the bank" by hacking the script in any way that choose.
The banking example is a bit dry, but perhaps with a little finessing it (or something like it) could be a compelling demo to get more people on-board and involved in making SES happen. I'm in awe of the potential of what the web can become as sites become un-siloed via the concepts behind SES. I think you guys are on to something really big here...This would indeed be a very cool demo! While we're waiting for SES, you can do everything you suggest above with Caja <http://code.google.com/p/google-caja/>. Please try, and please post any questions you may have or issues you run into to <https://groups.google.com/group/google-caja-discuss>. (You need to subscribe before you can post.) Thanks.