11.1.2 Subsets for Security
- eval()and the Function()constructor are not allowed in any secure subset because they allow the execution of arbitrary strings of code, and these strings cannot be statically analyzed.
- The thiskeyword is forbidden or restricted because functions (in non-strict mode) can access the global object through this. Preventing access to the global object is one of the key purposes of any sandboxing system.
- The withstatement is often forbidden in secure subsets because it makes static code verification more difficult.
- Certain special properties and methods are forbidden in secure subsets because they give too much power to the sandboxed code. These typically include the caller and callee properties of the arguments object (though some subsets do not allow the arguments object to be used at all), the call() and apply() methods of functions, and the constructor and prototype properties. Nonstandard properties such as __proto__ are also forbidden. Some subsets blacklist unsafe properties and globals. Others whitelist a specific set of properties know to be safe.
- Static analysis is sufficient to prevent access to special properties when the property access expression is written using the . operator. But property access with  is more difficult because arbitrary string expressions within the square brackets cannot be statically analyzed. For this reason, secure subsets usually forbid the use of square brackets unless the argument is a numeric or string literal. Secure subsets replace the  operators with global functions for querying and setting object
properties—these functions perform runtime checks to ensure that they aren’t used to access forbidden properties.
A number of secure subsets have been implemented. Although a complete description of any subset is beyond the scope of this book, we’ll briefly describe some of the most important:
ADsafe ADsafe ( http://adsafe.org ) was one of the first security subsets proposed. It was created by Douglas Crockford (who also defined The Good Parts subset). ADsafe relies on static verification only, and it uses JSLint ( http://jslint.org ) as its verifier. It forbids access to most global variables and defines an ADSAFE variable that provides access to a secure API, including special-purpose DOM methods. ADsafe is not in wide use, but it was an influential proof-of-concept that influenced other secure subsets.
Caja is part of the OpenSocial API ( http://code.google.com/apis/opensocial/ ) and has been adopted by Yahoo! for use on its websites. The content available at the portal http://my.yahoo.com , for example, is organized into Caja modules.