[whatwg] Prevent a document from being manipulated by a "top" document
John Tamplin
jat at google.com
Tue Aug 2 09:14:22 PDT 2011
On Tue, Aug 2, 2011 at 7:15 AM, Dennis Joachimsthaler <dennis at efjot.de>wrote:
> Am 02.08.2011, 13:12 Uhr, schrieb Anne van Kesteren <annevk at opera.com
>
>
>> If users cannot trust their userscripts and addons (provided they can do
>> unsafe things) they have lost already.
>>
>>
> True. We do not make standards solely to protect inexperienced users.
>
> Thank you for your insight on this matter, though.
>
If you need to run untrusted code, consider
Caja<http://code.google.com/p/google-caja/>.
JS itself doesn't provide the necessary mechanisms to safely execute
untrusted code, so either you trust the code you are running completely (at
least to the limits of what you can enforce running it in an iframe jail) or
you do something like Caja.
--
John A. Tamplin
Software Engineer (GWT), Google
More information about the whatwg
mailing list