W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: <sird@rckc.at>
Date: Tue, 15 Feb 2011 08:18:56 +0100
Message-ID: <AANLkTikkY48HUDo7sYF-K8ey8steKi9-ewBi4AN9qxZj@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
Yeah..

I wish that JS Workers were completely isolated, and with no XHR, it would
be a nice feature (maybe as an extra argument marking the code as
untrusted).

Anyway, what about a JS Worker triggered from a sandboxed iframe?

Greetings!

-- Eduardo



On Mon, Feb 14, 2011 at 10:28 AM, gaz Heyes <gazheyes@gmail.com> wrote:

> On 14 February 2011 08:49, sird@rckc.at <sird@rckc.at> wrote:
>
>> Right, from a worker you can nuke away XHR and importScript. It's fairly
>> smaller than a normal window :)
>>
>
> On Firefox yes but Chrome seems to retain XHR when deleting, bug? Then you
> have __proto__, self etc
>
>
>> It's not a whitelist, but given that you get a smaller surface, you are
>> not in so much danger right?
>>
>
> You are in no danger with a whitelist, this is my point but a browser can
> always add a new Object that you did not protect
>
Received on Tuesday, 15 February 2011 07:19:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 07:19:51 GMT