Authority of plugins
metaweta
Flash developer to expose a subset of the methods in his program to
JavaScript code. This limits the authority of the JavaScript code to
affect the internal state of the Flash app, which is appropriate; it's
rather like a firewall.
The web page, on the other hand, has only a very crude way of limiting
the authority of the Flash app to affect the internal state of the
browser: all or nothing, as specified in the allowScriptAccess or
allowNetworking parameters. JavaScript rewriting projects like
Facebook's FBJS, Google's Caja, and Microsoft's Web Sandbox have had
to resort to hacks like prohibiting a third-party flash gadget from
affecting the browser directly and making it send messages to the
browser via a trusted "bridge" on an asynchronous LocalConnection.
http://wiki.developers.facebook.com/index.php/Fb:fbjs_bridge
This is awkward in many respects. It would be better if the situation
was symmetric, and the page itself was able to specify the policy by
which third-party Flash code was allowed to affect the state. We
shouldn't expect Flash to limit itself in this way; each party should
run its own "firewall".
At the moment, Flash is effectively given the "eval" method; however,
if it was *literally* given the ability only to invoke the function
named "eval", then a page could bind that symbol to a less powerful
function if it desired. This would allow rewriting projects like
those mentioned above to sanitize, prohibit, or merely place a request
into the proper virtual context.
Thoughts?