W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 14 Feb 2011 07:44:16 +0000
Message-ID: <AANLkTi=J9b=WzX+R5HkLorSSNH3H0m-D-pT-O0m9-cYV@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
On 13 February 2011 21:55, sird@rckc.at <sird@rckc.at> wrote:

> What about JS Workers?
>

Last time I checked webworkers they didn't seem to allow the removal of all
properties from a worker, in addition it was possible to create requests
that included cookies from the site.This is a perfect example of the need
for a whitelist.

<http://www.businessinfo.co.uk/labs/webworker/webworker.html>


> I know they are async, but may work? What's the use case you are trying to
> solve?
>

I simply want to freeze or disable properties of a object that are unknown
and do not match a whitelist. Most useful in a sandbox situation.
Received on Monday, 14 February 2011 07:44:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 14 February 2011 07:44:52 GMT