You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by Vincent Hardy <vi...@sun.com> on 2002/04/30 13:42:57 UTC
cvs commit: xml-batik/samples/tests/spec/scripting security.svg
security2.jar security2.svg
vhardy 02/04/30 01:45:16
Modified: . build.xml
resources/org/apache/batik/apps/svgbrowser/resources
GUI.properties
resources/org/apache/batik/bridge/resources
Messages.properties
sources/org/apache/batik/apps/svgbrowser Application.java
JSVGViewerFrame.java Main.java
PreferenceDialog.java
sources/org/apache/batik/bridge
BaseScriptingEnvironment.java Messages.java
ScriptingEnvironment.java UserAgent.java
UserAgentAdapter.java
sources/org/apache/batik/script InterpreterFactory.java
InterpreterPool.java Window.java
sources/org/apache/batik/script/jacl
JaclInterpreterFactory.java
sources/org/apache/batik/script/jpython
JPythonInterpreterFactory.java
sources/org/apache/batik/script/rhino
RhinoInterpreterFactory.java
sources/org/apache/batik/swing/svg JSVGComponent.java
SVGUserAgent.java
sources/org/apache/batik/transcoder/image
ImageTranscoder.java
sources/org/apache/batik/transcoder/print
PrintTranscoder.java
sources/org/apache/batik/util SVGConstants.java
Added: resources/org/apache/batik/apps/svgbrowser/resources
svgbrowser.bin.policy svgbrowser.policy
resources/org/apache/batik/script/rhino/resources
messages.properties
sources/org/apache/batik/bridge
DefaultScriptSecurity.java
NoLoadScriptSecurity.java
RelaxedScriptSecurity.java ScriptSecurity.java
sources/org/apache/batik/script/rhino Messages.java
samples/tests/resources/java/resources/com/untrusted/script
security2.mf
samples/tests/resources/java/sources/com/untrusted/script
UntrustedScriptHandler.java
samples/tests/resources/script common.js rhinoSecurity.js
scrollbar.js
samples/tests/spec/scripting security.svg security2.jar
security2.svg
Log:
Initial security support for the Squiggle browser.
By default:
. Scripts run in a sandbox.
. Scripts can only connect back to the server from
which the document they belong to was loaded.
. Scripts can only come from the same server as the
document they are linked from.
These behaviors are optional (in the Preference Dialog,
Browser options):
. Users can disable/enable script security altogether.
. Users can disable/enable script types (java or ecmascript)
. Users can disable/enable limiting scripts to the same
origin as the document that references them.
Note that when the configuration is such that the
user allows script coming from a different origin than
that of the document referencing it, the script can
only connect back to the server which served the
script and not to the server which served the
document.
Limitations:
- in this initial commit, ECMA scripts cannot connect back
to the server which served them. This should be added
shortly.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: batik-dev-help@xml.apache.org