W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: defineProperty is a blacklist

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 16 Feb 2011 20:53:48 +0000
Message-ID: <AANLkTinMhRSbu3zXaMPcD120XzqAG1QmKfxAvBHw+KvM@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org
On 16 February 2011 19:04, Daniel Veditz <dveditz@mozilla.com> wrote:

> Is Object.preventExtensions what you want?
>
>
> https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Object/preventExtensions
>
> Take a look at Object.seal and Object.freeze as well.
>

Hey Daniel, nope those prevent a object being modified or extended but not
to prevent access to a property you don't know about. For example if a
browser added a property to window called "x" which did a redirection and
was not exposed to a for..in loop then the only way to prevent this would be
to know about "x" and overwrite it. A classic blacklist, whitelists are
better.
Received on Wednesday, 16 February 2011 20:54:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 20:54:16 GMT