[webkit-dev] a simple isolatedworlds alternative for uzbl?

Dieter Plaetinck dieter at plaetinck.be
Wed Jan 27 12:49:42 PST 2010

Hi guys,
as a continuation of my earlier topic:

We've read more about isolatedworlds (
http://www.adambarth.com/papers/2010/barth-felt-saxena-boodman.pdf et

but given:
1) it's not implemented yet in webkitgtk+
2) it looks kinda complex
3) it doesn't give the impression it's waterproof (for example: "to
select the correct world with reasonable assurance (...)" on page 10
of the pdf)
4) we treat local code as trusted. after all we're talking about small
scripts the user explicitly enables, not untrustworthy addons. we
assume local scripts are written and treated with the same care as the
source code of the browser itself.

we are investigating other directions to solve our issue.

one such approach is can be seen at:

the idea is that we would only call our special (privileged) object by
'this.Uzbl' and using a different 'this' for the local scripts and the
remote ones.
If we make sure we never pass around the instance of this.Uzbl as
arguments or put it in another object, we *think* we are good.

more info:

is this a good idea? is it safe? will it stay safe?


More information about the webkit-dev mailing list