W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 15 Feb 2011 08:46:07 +0000
Message-ID: <AANLkTikKEf1R7FRWnsQWR-1M6N-viKwhuFM7LdmOiqBy@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
On 15 February 2011 07:18, sird@rckc.at <sird@rckc.at> wrote:

> I wish that JS Workers were completely isolated, and with no XHR, it would
> be a nice feature (maybe as an extra argument marking the code as
> untrusted).
>
> Anyway, what about a JS Worker triggered from a sandboxed iframe?
>

Would a sandboxed iframe allow same origin XHR urls? You'd need to stop that
but even so the point is that defineProperty should be able to disable
properties of an object that you know nothing about or that can change in
time
Received on Tuesday, 15 February 2011 08:53:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 08:53:46 GMT