[whatwg] sandboxing scripts

[Hallvord R M Steen]

Just playing around with ideas for other security models for SCRIPT.

A script from another server today has no limits if included in a page
with a SCRIPT src= tag. In many scenarios it would be interesting to a
webmaster to have a sort of "grades of trust" approach and specify
some more about what one would allow a foreign script to do, for
example but not limited to when including third-party advertising.
However, I would rather not see anything approaching the Java security
model in terms of complexity.

Here's what I thought: a new attribute "sandbox" (or "securitypolicy",
name doesn't matter much) might tell the UA something about what the
script can do:

<script src="..." sandbox="writeonly">
- script may use ECMAScript features and variables already created in
page but may not use any host objects or methods except document.open
/ .write / .close. Typical use case is advertisment scripts that only
add content to document.

<script src="..." sandbox="none">
- script may not alter document at all, only create variables. Typical
use case is a script that just adds data from a third-party source,
for example creates arrays or JSON structures.

(perhaps also <script src="..." sandbox="dom"> to indicate that a
script should have DOM access - but that pretty much equals access to
everything, same as leaving out the sandbox attribute completely..)

In all cases the limitation would apply only to the thread created by
that SCRIPT tag. Functions defined in those scripts might be called
later and would run with normal privileges.

--
Hallvord R. M. Steen