ADsafe is a system that first gained popularity as a utility for cordoning off ads running on a page, since ads are simply one form of self-inflicted cross-site scripting (XSS) attack.
ADsafe’s premise is to prevent a developer from using markup that is deemed unsafe, restrict access to the global page object, and limit access to variable types from the third-party code. Essentially, this creates a sandbox that protects the root site or container from third-party code by limiting the functionality that can exist within an application.
Variables that are defined in the global scope are not allowed
within ADsafe. ADsafe does,
however, permit limited access to the
Math global objects of the page.
Since the use of
within a function request maintains a binding to the global object,
it is restricted in ADsafe.
eval provides access to the
global scope, much like many of our other restricted tags, and also
provides a mechanism for executing insecure code at runtime.
Access to the
pseudo array is restricted.
with modifies the
scope chain, its use is restricted.
Due to capability leakage in some browsers,
watch are not allowed in ADsafe
when implemented using dot notation.