[webkit-dev] a simple isolatedworlds alternative for uzbl?
dieter at plaetinck.be
Wed Jan 27 12:49:42 PST 2010
as a continuation of my earlier topic:
We've read more about isolatedworlds (
1) it's not implemented yet in webkitgtk+
2) it looks kinda complex
3) it doesn't give the impression it's waterproof (for example: "to
select the correct world with reasonable assurance (...)" on page 10
of the pdf)
4) we treat local code as trusted. after all we're talking about small
scripts the user explicitly enables, not untrustworthy addons. we
assume local scripts are written and treated with the same care as the
source code of the browser itself.
we are investigating other directions to solve our issue.
one such approach is can be seen at:
the idea is that we would only call our special (privileged) object by
'this.Uzbl' and using a different 'this' for the local scripts and the
If we make sure we never pass around the instance of this.Uzbl as
arguments or put it in another object, we *think* we are good.
is this a good idea? is it safe? will it stay safe?
More information about the webkit-dev