W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Interaction with Workers (was Re: setTimeout error handling)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 29 Mar 2011 09:39:14 +0100
Message-ID: <BANLkTi=mL=nwEPvN02_YZ=8K3qsftXY=2Q@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 29 March 2011 01:05, Adam Barth <w3c@adambarth.com> wrote:

> >> [[
> >> User-agents must prevent strings from being converted to ECMAScript
> >> code, including calls to:
> >>
> >> eval()
> >> new Function() constructor
> >> setTimeout() called with a String argument
> >> setInterval() called with a String argument
> >> ]]
> >>
> >> Suppose the page does call setTimeout with a string.  How should the
> >> user agent handle the error?
>

I think String is a loose definition, for example what if we call setTimeout
with an array or object?
setTimeout(["alert(1)"])

IMO the spec should say any argument that isn't a function when related to
setTimeout/setInterval
Received on Tuesday, 29 March 2011 08:39:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 29 March 2011 08:39:47 GMT