Subject: RE: Fw: Signing of XSL scripts From: "John Dreystadt" <jdreysta@xxxxxxxxxxxxx> Date: Thu, 28 May 1998 10:26:11 -0400 |
An alternative direction for secure scripting is the model adopted by the TCL community. They use "SafeTCL" which is a variation on the usual TCL interpreter. SafeTCL has the dangerous components removed or restricted. As pointed out, an arbitrary scripting language exposes the system where the script is running to various attacks. But restrictions can be implemented. ECMAScript is already running inside of web pages that people download all the time. The web browser is responsible for implementing rules that prevent ECMAScript from doing bad things. I believe that we should start by examining what web browsers allow ECMAScript to do, determine what needs to be added for XSL (maybe nothing) and then determine how to add the new functionality safely. John Dreystadt > -----Original Message----- > From: owner-xsl-list@xxxxxxxxxxxxxxxx > [mailto:owner-xsl-list@xxxxxxxxxxxxxxxx]On Behalf Of Gavin Nicol > Sent: Thursday, May 28, 1998 9:36 AM > To: xsl-list@xxxxxxxxxxxxxxxx > Subject: Re: Fw: Signing of XSL scripts > > > >It is beginning to look as if the use of ECMAScript may lead to some > >problems with system security unless there is a change in > the way in which > >scripts can be authenticated in Internet Explorer. For > input/output to a > > Even authentication isn't enough. Having an arbitrary > scripting language > opens you to denial of serive attacks, and other such things. All the > signing does is allow you to know who *supposedly* sent you the script > (it will always be possibly to fake identification here too > given enough > resources). What is needed is some way for the XSL processor > to be able > to "prove" correctness. > > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: Fw: Signing of XSL scripts, Gavin Nicol | Thread | Re: Fw: Signing of XSL scripts, Paul Prescod |
Re: Fw: Signing of XSL scripts, Gavin Nicol | Date | Re: Fw: Signing of XSL scripts, Paul Prescod |
Month |