Hi Mathias. Thanks for your interest. See below: On Mon, Jan 4, 2010 at 6:09 AM, Mathias Wagner <[email protected]> wrote: > 1. Are there any plans of implementing stuff like this in Google > Chrome or WebKit in general? Please note that there is a difference > compared to the approach of Mozilla called Content Security Policy.
We already have an implementation of the HTML5's @sandbox attribute. We'd also like to add a lighter-weigh sanitization feature on par with IE8's toStaticHTML. The main difficultly is designing the API. There are a couple of designs floating around, including toStaticHTML, innerStaticHTML, and insertSanitizedHTML: http://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTJzbTY1cWJrNA&hl=en There are various reasons why the jail tag, as such, as not caught on. For example: 1) It requires modifying the parser (i.e., the end tag attributes aren't valid HTML) 2) It's unclear whether authors will properly generate the randomness required 3) It doesn't address AJAX use cases (cross-origin XMLHttpRequest and postMessage) very well 4) It is fairly inflexible (i.e., we have to pick exactly the right set of things to block instead of giving authors control) If you have ideas for a better API, there's some discussion happening on the WHAT WG mailing list: http://lists.whatwg.org/listinfo.cgi/whatwg-whatwg.org We'd certainly be happy to hear any ideas that you have. > 2. How difficult would that be? I imagine a procedure like this: > - parse the HTML Document > - cut out the peaces wrapped by jail tags > - hand the rest to the java-script engine > - take the output of the engine and reinsert the clipped parts The issues are more the design if the API and not its implementation at this point. > And is there any kind of architecture picture of Chrome/Chromium? I > imagine a simple image with the different modules and how they > interact. Thanks a lot. You can find a number of design documents here: http://www.chromium.org/developers/design-documents In particular, you might find these useful: http://www.chromium.org/developers/design-documents/multi-process-architecture http://www.chromium.org/developers/design-documents/displaying-a-web-page-in-chrome Adam -- Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev
