[E-Lang] defense in depth

Bill Frantz frantz@communities.com
Thu, 25 Jan 2001 12:16:31 -0800


At 03:02 PM 1/25/01 -0500, Jonathan S. Shapiro wrote:
>Bill Frantz wrote:
>> Javascript is supposed to be "safe"... However,
>> EROS should be able to keep it from installing Trojan horses,
>> counterfeiting windows, and stealing data.
>
>What about backwards compatibility?

Of course it isn't going to be compatible.  (There are some things it can
do now we don't want it to do.)  However, perhaps it will still be useful.

In the airline arrival time case, I needed to run the Javascript to enter
the arrival date into the form.  Not having read the code, I believe that
it grabbed today's date from the clock on my computer and stuffed it into
the form as a default.  Even in EROS, that piece of Javascript should
continue to run.

More generally, Javascript is used to control the contents of the many
frames that make up the web page.  While each of these frames will probably
be displayed inside a window which identifies what application is
responsible for it, control within the frame can stay with the Javascript.

In some cases, Javascript is used to communicate with a plugin.  In the
Communities.com Passport system, we have C code to support a non-html
protocol between our servers and the browser, as well as streaming voice,
video etc.  In theory, all of this could be wrapped in a suitable emulation
layer, which only had limited capability to resources in the rest of the
EROS system.  The performance advantages of local caching are probably the
principle legitimate use of the local file system.