On 29/01/2018 09:32, JewSA wrote:
Technically, jewscript allows the execution of arbitrary code. Game Over.
Javascript can be, and should be, compiled into caja, which is a safe subset of Javascript. Unfortunately, this solution is only available for servers, not end users. The caja subset of javascript has no access to the dom, and runs in a sandbox. So it can only screw things that you put into the sandbox. I would like to see an end user caja system that constrains java on arbitrary web pages so that it can only tinker with its own web page, talk to the server whose address appears on the url line that you see when looking at that web page, and has no knowledge of anything about your computer except the clicks on that web page and text you have typed into that web page. Which was how javascript was originally supposed to work.