W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: <sird@rckc.at>
Date: Tue, 15 Feb 2011 20:44:57 -0800
Message-ID: <AANLkTimgzaUZ3yHOPgBc0jbXo8J01G_WoTfiXaV+qSK=@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
sandboxed iframes have a unique origin, they can't XHR to same domain.

they can XHR using CORS.. I guess.. haven't tested

-- Eduardo




On Tue, Feb 15, 2011 at 12:46 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 15 February 2011 07:18, sird@rckc.at <sird@rckc.at> wrote:
>>
>> I wish that JS Workers were completely isolated, and with no XHR, it would
>> be a nice feature (maybe as an extra argument marking the code as
>> untrusted).
>> Anyway, what about a JS Worker triggered from a sandboxed iframe?
>
> Would a sandboxed iframe allow same origin XHR urls? You'd need to stop that
> but even so the point is that defineProperty should be able to disable
> properties of an object that you know nothing about or that can change in
> time
>
Received on Wednesday, 16 February 2011 04:45:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 04:45:50 GMT