Opened 12 years ago

Closed 11 years ago

Last modified 10 years ago

#6348 closed enhancement (fixed)

Secure JavaScript Support

Reported by: kriszyp Owned by: Kris Zyp
Priority: high Milestone: 1.2
Component: Dojox Version: 1.0
Keywords: security Cc: alex
Blocked By: Blocking:

Description

Add object-capability JavaScript? validation, specifically with support for the ADsafe dialect (but other dialects could be supported). This is intended to be used in conjunction with cross-site XHR/XDomainRequest to load scripts, and then validate and evaluate them. This could alternately be used with a CrossSafe/Subspace? technique for securely loading scripts with sandboxed frames and then introducing validated scripts in to the parent environment. In order to be useful, the object-capability validation will also need access to a controlled DOM API, and a safe subset of the Dojo library. I would also like to implement this controlled DOM API (using getters/setters and lettables), and create a whitelisted safe subset of the Dojo toolkit to make available to untrusted scripts. Here is the project description I created for the README: DojoX Secure is a collection of tools for security, in particular for working with untrusted data and code. The following tools will be a part of DojoX Secure:

dojox.secure.capability - Object-capability JavaScript? validation. This is a validator to run before eval to ensure that a script can't access or modify any objects outside of those specifically provided to it.

dojox.secure.ADsafe - Provides support for the ADsafe dialect of object- capability JavaScript?.

dojox.secure.load - Provides support for loading JSON and scripts from other domains using the Subspace technique. Subspace uses JSONP/script tag insertion in iframes to sandbox the loading of cross-site loading.

dojox.secure.safeDOM - Provides a DOM facade that restricts access to a specified subtree of the DOM. The DOM facade will use getters/setters and lettables to emulate the DOM API.

dojox.secure.OAuth - Provides an implementation of OAuth.

dojox.secure.safeDojo? - Creates a safe subset of the Dojo toolkit that can be accessed by object-capability JavaScript?

Attachments (1)

secure.diff (73.6 KB) - added by kriszyp 12 years ago.
dojox.secure package

Download all attachments as: .zip

Change History (4)

comment:1 Changed 12 years ago by kriszyp

This is ongoing, more files will come later (like unit tests)

Changed 12 years ago by kriszyp

Attachment: secure.diff added

dojox.secure package

comment:2 Changed 11 years ago by Kris Zyp

Resolution: fixed
Status: newclosed

There will probably be more additions to this project in the future, but the essential functionality has been checked in.

comment:3 Changed 10 years ago by bill

Owner: changed from kriszyp to Kris Zyp
Note: See TracTickets for help on using tickets.