Loading ...
Sorry, an error occurred while loading the content.

Re: [caplet] ADsafe

Expand Messages
  • Mike Samuel
    (function () { var x = function () {}; var y = constructor ; var z = (x[y]); var w = z( alert( hi ) ); w(); })(); cheers, mike
    Message 1 of 36 , Sep 30, 2007
    View Source
    • 0 Attachment
      (function () {
        var x = function () {};
        var y = 'constructor';
        var z = (x[y]);
        var w = z('alert("hi")');
        w();
      })();

      cheers,
      mike



      On 30/09/2007, Douglas Crockford <douglas@...> wrote:

      JSLint.com contains an ADsafe feature. Its intent is to enforce a safe
      subset of JavaScript for use in ads and widgets. ADsafe requires no
      transformations. It relies solely on verification. Its rules require
      that programs be written in a functional style. It rejects programs
      written in the pseudoclassical or prototypal styles. I am finding that
      the functional style is the most expressive. It also has the best
      security properties.

      ADsafe does not allow definition of global variables or functions. It
      grants one capability, the ADSAFE object, through which other
      capabilities might be obtained. It does not allow access to any
      globals except for the ADSAFE object. It does not allow modification
      of the ADSAFE object. It does not allow method invocations in the []
      form. It does not allow the use of these names:

      apply call callee caller clone constructor eval new
      prototype source this toSource toString watch

      I need your help in testing its robustness. Are the rules sufficient
      to prevent all direct access to the DOM and the global object? Are
      there any small leaks that I am unaware of? Is the approach I'm taking
      inherently unsound? What additional restrictions are required to
      prevent unintended collusion?

      So this is the test:

      Write a program in the form

      (function () {
      ...
      })();

      where the ... is replaced by code that calls the alert function when
      run on any browser. If the program produces no errors when linted with
      the ADsafe option, then I will buy you a plate of shrimp.


    • Douglas Crockford
      I updated the ADsafe DOM interface. Previously, a method like .getValue() could return undefined a single value an array of values depending on the number of
      Message 36 of 36 , Nov 11, 2010
      View Source
      • 0 Attachment
        I updated the ADsafe DOM interface. Previously, a method like .getValue() could return

        undefined
        a single value
        an array of values

        depending on the number of results. Now, a method like .getValue() will return the first value that is available, or undefined if there are none. A new method, .getValues() will always return an array, possibly an empty array.
      Your message has been successfully submitted and would be delivered to recipients shortly.