From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out.smtp-auth.no-ip.com (out.smtp-auth.no-ip.com [8.23.224.60]) by hurricane.the-brannons.com (Postfix) with ESMTPS id C1E377913E for ; Mon, 26 Dec 2016 22:52:49 -0800 (PST) X-No-IP: carhart.net@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from carhart.net (unknown [99.52.200.227]) (Authenticated sender: carhart.net@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTPA id A2805259; Mon, 26 Dec 2016 22:53:12 -0800 (PST) Received: from carhart.net (localhost [127.0.0.1]) by carhart.net (8.13.8/8.13.8) with ESMTP id uBR6rBb0005805; Mon, 26 Dec 2016 22:53:11 -0800 Received: from localhost (kevin@localhost) by carhart.net (8.13.8/8.13.8/Submit) with ESMTP id uBR6rBS4005802; Mon, 26 Dec 2016 22:53:11 -0800 Date: Mon, 26 Dec 2016 22:53:11 -0800 (PST) From: Kevin Carhart To: Chris Brannon cc: Edbrowse-dev@lists.the-brannons.com In-Reply-To: <87y3z2x90a.fsf@the-brannons.com> Message-ID: References: <20161029110356.eklhad@comcast.net> <20161126224954.eklhad@comcast.net> <87y3z2x90a.fsf@the-brannons.com> User-Agent: Alpine 2.03 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: [Edbrowse-dev] $ object in javascript X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.23 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2016 06:52:50 -0000 Hi Chris, > I'll be honest, I am starting to find this project very > overwhelming on an intellectual level. > I don't know how long I can keep up. My alarm bells go off. You have a veto. If you think it is like this, the drawbacks may outweigh the benefits or something is awry and it shouldn't be done this way. Possibly it could be alleviated if we base our changes off of top-down tests like Acid3. Thank you for the link to acid3. Maybe I am adding unnecessary complication. > And the security implications of AJAX scare the crap out of me. > We're making web requests at the behest of code sent to us by total I think there is a restriction, which may be a convention rather than something that is enforced by code, that AJAX cannot load from outside domains, but only from the domain of the original page. I think you're right that another entry point from the internet is worrisome. It is one more place where we talk to the curl library and something like malware could be retrieved. Although, is this different than the security implications of the web request browsed with the 'b' command in the first place? How do we know when we have done it securely? > And what are the implications of doing that XHR stuff in startwindow.js, > rather than native C? If you need it ported from JS to C, I can > certainly do that, as I have enough familiarity with both languages. Thank you. It is a mixture of both right now. The reason that there is a javascript piece is that there was an existing JS implementation that I was able to modify. This came from the Env JS project. The JS piece mostly gathers parameters. Then it calls the native code, fetchHTTP: var entire_http_response = document.fetchHTTP(this.url,this.method,headerstring,data); Kevin