W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: <sird@rckc.at>
Date: Tue, 15 Feb 2011 08:18:56 +0100
Message-ID: <AANLkTikkY48HUDo7sYF-K8ey8steKi9-ewBi4AN9qxZj@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org

I wish that JS Workers were completely isolated, and with no XHR, it would
be a nice feature (maybe as an extra argument marking the code as

Anyway, what about a JS Worker triggered from a sandboxed iframe?


-- Eduardo

On Mon, Feb 14, 2011 at 10:28 AM, gaz Heyes <gazheyes@gmail.com> wrote:

> On 14 February 2011 08:49, sird@rckc.at <sird@rckc.at> wrote:
>> Right, from a worker you can nuke away XHR and importScript. It's fairly
>> smaller than a normal window :)
> On Firefox yes but Chrome seems to retain XHR when deleting, bug? Then you
> have __proto__, self etc
>> It's not a whitelist, but given that you get a smaller surface, you are
>> not in so much danger right?
> You are in no danger with a whitelist, this is my point but a browser can
> always add a new Object that you did not protect
Received on Tuesday, 15 February 2011 07:19:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC