Re: defineProperty is a blacklist from gaz Heyes on 2011-02-14 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 14 Feb 2011 07:44:16 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
Message-ID: <AANLkTi=J9b=WzX+R5HkLorSSNH3H0m-D-pT-O0m9-cYV@mail.gmail.com>

On 13 February 2011 21:55, sird@rckc.at <sird@rckc.at> wrote:

> What about JS Workers?
>

Last time I checked webworkers they didn't seem to allow the removal of all
properties from a worker, in addition it was possible to create requests
that included cookies from the site.This is a perfect example of the need
for a whitelist.

<http://www.businessinfo.co.uk/labs/webworker/webworker.html>

> I know they are async, but may work? What's the use case you are trying to
> solve?
>

I simply want to freeze or disable properties of a object that are unknown
and do not match a whitelist. Most useful in a sandbox situation.

Received on Monday, 14 February 2011 07:44:51 UTC