Again, thinking about the browser case; in order to render untrusted code safe
it must have its output restricted so that it cannot place “dangerous” HTML
on the web page (for example, <script> tags with arbitrary Javascript). But
it may be that the container wants to allow it to use such HTML that has been
“blessed” by the container.
In this case, a capability can be used to wrap the blessed HTML. The capability
prevents the untrusted code from modifying its contents (by not providing
a method to do so), but when handed to the safe-HTML-writing capability it
bypasses the HTML safety checks and allows the blessed HTML to be written.
No comments:
Post a Comment