Hacker News new | ask | show | jobs
by tannhaeuser 3203 days ago
Upvoted you, so count me in.

Hard to believe in 2017, but as recently as five years ago Google (of all people) published the Caja compiler [1] for sandboxed/statically verified JavaScript subsets, and there was AdSafe aiming for safe JavaScript as well.

[1]: https://developers.google.com/caja/

[2]: http://www.adsafe.org
2 comments
abecedarius 3202 days ago
I don't know its current status with the committee, but https://github.com/tc39/proposal-frozen-realms proposes something equivalent to Caja for modern JS. It can be a lot simpler now because ES6+ is much closer to what's needed than JS was when Caja was made.
link
qwepoiru 3203 days ago
adsafe, and all static lint of ads, was dead from the beginning. If companies serve whatever comes from the ad networks, specially dynamic URLS, there is absolutely no way to enforce anything. You can check, but you can't enforce.

the only sane solution on ads is SafeFrames [1]. Which does not do much, but at least it prevents ads from scrapping the page and stealing your cookies from the main domain you are visiting. That is already a win, considering the mess it is now without it.

[1] https://www.iab.com/guidelines/safeframe/

link