Re: [Edbrowse-dev] $ object in javascript

[Kevin Carhart <kevin@carhart.net>]

Hi Chris,

> I'll be honest, I am starting to find this project very
> overwhelming on an intellectual level.
> I don't know how long I can keep up.

My alarm bells go off.  You have a veto.  If you think it is like 
this, the drawbacks may outweigh the benefits or something is awry and it 
shouldn't be done this way.  Possibly it could be alleviated if we base 
our changes off of top-down tests like Acid3.  Thank you for the link to 
acid3.  Maybe I am adding unnecessary complication.

> And the security implications of AJAX scare the crap out of me.
> We're making web requests at the behest of code sent to us by total

I think there is a restriction, which may be a convention rather than 
something that is enforced by code, that AJAX cannot load from outside 
domains, but only from the domain of the original page.  I think you're 
right that another entry point from the internet is worrisome.  It is one 
more place where we talk to the curl library and something like malware 
could be retrieved.  Although, is this different than the security 
implications of the web request browsed with the 'b' command in the first 
place?

How do we know when we have done it securely?

> And what are the implications of doing that XHR stuff in startwindow.js,
> rather than native C?  If you need it ported from JS to C, I can
> certainly do that, as I have enough familiarity with both languages.

Thank you.  It is a mixture of both right now.  The reason that there is a 
javascript piece is that there was an existing 
JS implementation that I was able to modify.  This came from the Env JS 
project.  The JS piece mostly gathers parameters.  Then it calls the 
native code, fetchHTTP:

var entire_http_response = 
document.fetchHTTP(this.url,this.method,headerstring,data);

Kevin