On Fri, 25 Jan 2008, keith wrote:
> Hi Norris,
>
> I tried this but then accessing host objects fail with exceptions such
> as Access to Java class "java.lang.String" is prohibited. I want to
> prohibit running java code directly from javascript but I want to
> expose my host objects. Whats the best way to do this?
I had a bit of a stab at this: ditched the importing of Package into the
namespace and got rid of getClass and other routes to the classloader.
Then whatever APIs I expose to the environment (ie, the graph of
reachable types) seems pretty much under control.
It's being able to implement object capabilities via that "reachable
through calls" graph (which finds troublesome calls under the base class
Object) that seems the most natural way to achieve what I'm after: but
then I'm interested in running JS of a low trust level.
Still not convinced my approach was watertight; it'd be interesting to
hear how others are doing this.
Cheers,
jan
--
jan grant, ISYS, University of Bristol.
http://www.bris.ac.uk/Tel +44 (0)117 3317661
http://ioctl.org/jan/OORDBMSs make me feel old; I remember when this was all fields.
_______________________________________________
dev-tech-js-engine mailing list
dev-tech-js-engine@...
https://lists.mozilla.org/listinfo/dev-tech-js-engine
