ADsafe is a system that first gained popularity as a utility for cordoning off ads running on a page, since ads are simply one form of self-inflicted cross-site scripting (XSS) attack.
ADsafe’s premise is to prevent a developer from using markup that is deemed unsafe, restrict access to the global page object, and limit access to variable types from the third-party code. Essentially, this creates a sandbox that protects the root site or container from third-party code by limiting the functionality that can exist within an application.
ADsafe removes the following features from JavaScript:
Variables that are defined in the global scope are not allowed
within ADsafe. ADsafe does,
however, permit limited access to the Array
, Boolean
, Number
, String
, and Math
global objects of the page.
this
Since the use of this
within a function request maintains a binding to the global object,
it is restricted in ADsafe.
eval
eval
provides access to the
global scope, much like many of our other restricted tags, and also
provides a mechanism for executing insecure code at runtime.
arguments
Access to the arguments
pseudo array is restricted.
with
Since with
modifies the
scope chain, its use is restricted.
Due to capability leakage in some browsers,
arguments
, callee
, caller
, constructor
, prototype
, stack
, unwatch
, valueOf
, and watch
are not allowed in ADsafe
when implemented using dot notation.
This is restricted due to dangerous properties or methods that may be defined with a dangling underscore in some browsers.
Date
and Math.random
objectsThese objects are restricted to make it easier to determine the widget’s behavior.
[] subscript
May be used only with a positive numeric value or a literal string.
Although the ADsafe service has a number of restrictions, it also provides numerous functions for accessing and working with the DOM safely. We will explore many of these functions in the following sections.
18.191.62.122