W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 14 Feb 2011 09:28:01 +0000
Message-ID: <AANLkTik2nt-UEMmxHRU2y=ATCs7XW2T=n76-rV7ocY1R@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
On 14 February 2011 08:49, sird@rckc.at <sird@rckc.at> wrote:

> Right, from a worker you can nuke away XHR and importScript. It's fairly
> smaller than a normal window :)
>

On Firefox yes but Chrome seems to retain XHR when deleting, bug? Then you
have __proto__, self etc


> It's not a whitelist, but given that you get a smaller surface, you are not
> in so much danger right?
>

You are in no danger with a whitelist, this is my point but a browser can
always add a new Object that you did not protect
Received on Monday, 14 February 2011 09:28:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 14 February 2011 09:28:34 GMT