W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 14 Feb 2011 09:28:01 +0000
Message-ID: <AANLkTik2nt-UEMmxHRU2y=ATCs7XW2T=n76-rV7ocY1R@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
On 14 February 2011 08:49, sird@rckc.at <sird@rckc.at> wrote:

> Right, from a worker you can nuke away XHR and importScript. It's fairly
> smaller than a normal window :)

On Firefox yes but Chrome seems to retain XHR when deleting, bug? Then you
have __proto__, self etc

> It's not a whitelist, but given that you get a smaller surface, you are not
> in so much danger right?

You are in no danger with a whitelist, this is my point but a browser can
always add a new Object that you did not protect
Received on Monday, 14 February 2011 09:28:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC