W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Interaction with Workers (was Re: setTimeout error handling)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 29 Mar 2011 20:58:08 -0400
Message-ID: <4D928020.5060902@mit.edu>
To: Brandon Sterne <bsterne@mozilla.com>
CC: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 3/29/11 5:45 PM, Brandon Sterne wrote:
> On 03/29/2011 01:39 AM, gaz Heyes wrote:
>> I think String is a loose definition, for example what if we call
>> setTimeout with an array or object?
>> setTimeout(["alert(1)"])
>
> Good lord, why does that work?  :-)

Because Array.prototype.toString in ES5 is defined in such a way that 
it's equivalent to calling .join() (with no arguments) on the array in 
question, as long as no one has done anything weird.

You could also get this effect with things like:

   setTimeout({ toString: function() { return "alert(1)"; } });

> s/called with a String argument/called with any argument other than a
> Function object/g

What about function proxies?

What about non-Function callables?

-Boris
Received on Wednesday, 30 March 2011 00:58:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 March 2011 00:58:46 GMT