#6348 closed enhancement (fixed)
Secure JavaScript Support
| Reported by: | kriszyp | Owned by: | Kris Zyp |
|---|---|---|---|
| Priority: | high | Milestone: | 1.2 |
| Component: | Dojox | Version: | 1.0 |
| Keywords: | security | Cc: | alex |
| Blocked By: | Blocking: |
Description
Add object-capability JavaScript? validation, specifically with support for the ADsafe dialect (but other dialects could be supported). This is intended to be used in conjunction with cross-site XHR/XDomainRequest to load scripts, and then validate and evaluate them. This could alternately be used with a CrossSafe/Subspace? technique for securely loading scripts with sandboxed frames and then introducing validated scripts in to the parent environment. In order to be useful, the object-capability validation will also need access to a controlled DOM API, and a safe subset of the Dojo library. I would also like to implement this controlled DOM API (using getters/setters and lettables), and create a whitelisted safe subset of the Dojo toolkit to make available to untrusted scripts. Here is the project description I created for the README: DojoX Secure is a collection of tools for security, in particular for working with untrusted data and code. The following tools will be a part of DojoX Secure:
dojox.secure.capability - Object-capability JavaScript? validation. This is a validator to run before eval to ensure that a script can't access or modify any objects outside of those specifically provided to it.
dojox.secure.ADsafe - Provides support for the ADsafe dialect of object- capability JavaScript?.
dojox.secure.load - Provides support for loading JSON and scripts from other domains using the Subspace technique. Subspace uses JSONP/script tag insertion in iframes to sandbox the loading of cross-site loading.
dojox.secure.safeDOM - Provides a DOM facade that restricts access to a specified subtree of the DOM. The DOM facade will use getters/setters and lettables to emulate the DOM API.
dojox.secure.OAuth - Provides an implementation of OAuth.
dojox.secure.safeDojo? - Creates a safe subset of the Dojo toolkit that can be accessed by object-capability JavaScript?
Attachments (1)
Change History (4)
comment:1 Changed 12 years ago by
comment:2 Changed 11 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
There will probably be more additions to this project in the future, but the essential functionality has been checked in.
comment:3 Changed 10 years ago by
| Owner: | changed from kriszyp to Kris Zyp |
|---|
This is ongoing, more files will come later (like unit tests)