O'Reilly logo

Programming Social Applications by Jonathan LeBlanc

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

A Lighter Alternative to Caja: ADsafe

ADsafe is a system that first gained popularity as a utility for cordoning off ads running on a page, since ads are simply one form of self-inflicted cross-site scripting (XSS) attack.

ADsafe’s premise is to prevent a developer from using markup that is deemed unsafe, restrict access to the global page object, and limit access to variable types from the third-party code. Essentially, this creates a sandbox that protects the root site or container from third-party code by limiting the functionality that can exist within an application.

ADsafe removes the following features from JavaScript:

Global variables

Variables that are defined in the global scope are not allowed within ADsafe. ADsafe does, however, permit limited access to the Array, Boolean, Number, String, and Math global objects of the page.

this

Since the use of this within a function request maintains a binding to the global object, it is restricted in ADsafe.

eval

eval provides access to the global scope, much like many of our other restricted tags, and also provides a mechanism for executing insecure code at runtime.

arguments

Access to the arguments pseudo array is restricted.

with

Since with modifies the scope chain, its use is restricted.

Dangerous methods and properties

Due to capability leakage in some browsers, arguments, callee, caller, constructor, prototype, stack, unwatch, valueOf, and watch are not allowed in ADsafe when implemented using dot notation.

Names starting or ending with an ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required