[e-lang] [Caja] Handling infinite loops; browser crashing behavior
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Thu Oct 30 22:56:43 CDT 2008
Edward Z. Yang wrote:
> Hello all,
>
> I was wondering what safeguards Caja has against disruptive JavaScript
> (both malicious and non-malicious), such as infinite loops, timeout
> bombs and memory hogs?
None. It's not feasible to do this without the cooperation of the
underlying JavaScript implementation. Perhaps something like that might
come out of the "Secure ECMAScript" work; I'll raise this issue at the
next TC39 meeting on Secure ECMAScript (on November 18th).
Firefox (any other browsers?) will disable JavaScript in a frame if
seems to be unresponsive (I don't know exactly what the criterion is).
However AFAICS from the perspective of a heavy Firefox user, this doesn't
seem to be very effective in preventing severe denial-of-sevice from
JavaScript (even just buggy, not malicious code). In any case this is
independent of Caja.
Facebook/FBJS implements the useful idea of preventing JavaScript from
running at all in a particular gadget until a user clicks on it. Caja
would be able to support this.
The 'e-lang' list <http://www.eros-os.org/mailman/listinfo/e-lang> would
a good place to discuss language-level mechanisms for limiting
denial-of-service. Cc: set.
--
David-Sarah Hopwood
More information about the e-lang
mailing list