First prototypes

.gitignore

 *~
+/index.html

proto0/README.org

+* Motivation
+  This example is used to demonstrate how passing an object from one
+  frame to another can lead to leaks.
+
+** non-primitive
+   Passing a "non-primitive" object as part of an API will leak its prototype chain
+
+** primitive
+   If a "primitive" object such as a string is passed, the string will not inherit 
+   from the sandboxed environment's prototype chain, but from the host environment 
+   (to be clear, it will *not be a string* from the sandboxed env. point of view)

proto1/polyglot/polyglot.js

+// Nasty service. Sets cookies for later use (ads, whatever)
+
+function init(context) {
+
+    initService();
+
+    context.polyglot = function(string) {
+        return translate(string);
+    };
+
+    context._ = context.polyglot;
+
+    function translate(string) {
+        return 'world';
+    };
+
+    function initService() {
+        document.cookie = 'foo=bar;domain=ads.com;';
+    };
+};
+
+init(this);
+

proto1/test.html

+<html>
+  <head>
+    <title>Proto 1</title>
+    <script src="polyglot/polyglot.js"></script>
+    <script src="http://code.jquery.com/jquery.js"></script>
+  </head>
+  <body>
+    <div id="content"></div>
+    <script>jQuery('#content').html(_('hello'))</script>
+  </body>
+</html>

proto2/polyglot/polyglot.js

+// Nasty service. Sets cookies for later use (ads, whatever)
+
+function init(context) {
+
+    initService();
+
+    context.polyglot = function(string) {
+        return translate(string);
+    };
+
+    context._ = context.polyglot;
+
+    function translate(string) {
+        return 'world';
+    };
+
+    function initService() {
+        document.cookie = 'foo=bar;domain=ads.com;';
+    };
+
+    console.log(window.parent.document.title = 'My injected title');
+};
+
+init(this);
+

proto2/sandbox.html

+<html>
+  <head>
+    <title>Sandboxed page</title>
+    <script src="polyglot/polyglot.js"></script>
+  </head>
+  <body>
+    <div id="content"></div>
+    <script>var request = prompt("Give me your password"); alert(_(request))</script>
+  </body>
+</html>

proto2/test.html

+<html>
+  <head>
+    <title>Proto 1</title>
+    <!-- <script src="polyglot/polyglot.js"></script> -->
+    <script src="http://code.jquery.com/jquery.js"></script>
+  </head>
+  <body>
+    <div id="content"></div>
+    <iframe src="sandbox.html" style="display: none;">
+    </iframe>
+    <!-- <script>jQuery('#content').html(_('hello'))</script> -->
+  </body>
+</html>

proto3/polyglot/polyglot.js

+// Nasty service. Sets cookies for later use (ads, whatever)
+
+function init(context) {
+
+    initService();
+
+    context.polyglot = function(string) {
+        return translate(string);
+    };
+
+    context._ = context.polyglot;
+
+    function translate(string) {
+        return 'world';
+    };
+
+    // We can anyway set the cookie. That's the privilege of any
+    // window object, sandboxed or not
+    function initService() {
+        document.cookie = 'foo=bar;domain=ads.com;';
+    };
+
+    // Different domain name (same origin policy). No access to the
+    // parent window.  This policy is not the default one in IE6 (and
+    // can be reduced to permissive policy through flash in IE7)
+    console.log(window.parent.document.title = 'My injected title');
+};
+
+init(this);
+

proto3/sandbox.html

+<html>
+  <head>
+    <title>Sandboxed page</title>
+    <script src="polyglot/polyglot.js"></script>
+  </head>
+  <body>
+    <div id="content"></div>
+    <script>var request = prompt("Give me your password"); alert(_(request))</script>
+  </body>
+</html>

proto3/test.html

+<html>
+  <head>
+    <!-- No communication between frames. The untrusted domain name ads.com -->
+    <!-- is isolated from the outer window object. -->
+    <title>Proto 1</title>
+    <script src="http://code.jquery.com/jquery.js"></script>
+  </head>
+  <body>
+    <div id="content"></div>
+    <iframe src="http://ads.com/proto3/sandbox.html" style="display: none;">
+    </iframe>
+  </body>
+</html>

proto4/polyglot/polyglot.js

+// Nasty service. Sets cookies for later use (ads, whatever)
+
+function init(context) {
+
+    initService();
+
+    context.polyglot = function(string) {
+        return translate(string);
+    };
+
+    context._ = context.polyglot;
+
+    function translate(string) {
+        return 'world';
+    };
+
+    // We can anyway set the cookie. That's the privilege of any
+    // window object, sandboxed or not
+    function initService() {
+        document.cookie = 'foo=bar;domain=ads.com;';
+    };
+
+    // Different domain name (same origin policy). No access to the
+    // parent window.  This policy is not the default one in IE6 (and
+    // can be reduced to permissive policy through flash in IE7)
+    console.log(window.parent.document.title = 'My injected title');
+};
+
+init(this);
+

proto4/sandboxing/sandbox.html

+<html>
+  <head>
+    <!-- Here we want to setup a communication channel between the isolated guestcode and the main environment. -->
+    <!-- We have several options at hand: -->
+    <!-- - use the hash fragment of the URL (see biblio of deliverable #2) -->
+    <!-- - pass an object (not an option, due to object leaks from the main environment, see proto0) -->
+    <!-- - use HTML5's postMessage channel -->
+    <!-- - use websocket -->
+    <title>Sandboxed page</title>
+    <script src="polyglot/polyglot.js"></script>
+  </head>
+  <body>
+    <div id="content"></div>
+    <script>var request = prompt("Give me your password"); alert(_(request))</script>
+  </body>
+</html>

proto4/test.html

+<html>
+  <head>
+    <!-- No communication between frames. The untrusted domain name ads.com -->
+    <!-- is isolated from the outer window object. -->
+    <title>Proto 1</title>
+    <script src="http://code.jquery.com/jquery.js"></script>
+  </head>
+  <body>
+    <div id="content"></div>
+    <iframe src="http://ads.com/proto3/sandbox.html" style="display: none;">
+    </iframe>
+  </body>
+</html>