W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: <sird@rckc.at>
Date: Tue, 15 Feb 2011 20:44:57 -0800
Message-ID: <AANLkTimgzaUZ3yHOPgBc0jbXo8J01G_WoTfiXaV+qSK=@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
sandboxed iframes have a unique origin, they can't XHR to same domain.

they can XHR using CORS.. I guess.. haven't tested

-- Eduardo

On Tue, Feb 15, 2011 at 12:46 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 15 February 2011 07:18, sird@rckc.at <sird@rckc.at> wrote:
>> I wish that JS Workers were completely isolated, and with no XHR, it would
>> be a nice feature (maybe as an extra argument marking the code as
>> untrusted).
>> Anyway, what about a JS Worker triggered from a sandboxed iframe?
> Would a sandboxed iframe allow same origin XHR urls? You'd need to stop that
> but even so the point is that defineProperty should be able to disable
> properties of an object that you know nothing about or that can change in
> time
Received on Wednesday, 16 February 2011 04:45:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC