W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Interaction with Workers (was Re: setTimeout error handling)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 29 Mar 2011 18:19:25 -0700
Message-ID: <AANLkTik0Xss_EGW0qd-Ey2yqkj8YBWPq8oPt1XHkWwJ3@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Brandon Sterne <bsterne@mozilla.com>, gaz Heyes <gazheyes@gmail.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Tue, Mar 29, 2011 at 5:58 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 3/29/11 5:45 PM, Brandon Sterne wrote:
>> On 03/29/2011 01:39 AM, gaz Heyes wrote:
>>> I think String is a loose definition, for example what if we call
>>> setTimeout with an array or object?
>>> setTimeout(["alert(1)"])
>>
>> Good lord, why does that work?  :-)
>
> Because Array.prototype.toString in ES5 is defined in such a way that it's
> equivalent to calling .join() (with no arguments) on the array in question,
> as long as no one has done anything weird.
>
> You could also get this effect with things like:
>
>  setTimeout({ toString: function() { return "alert(1)"; } });
>
>> s/called with a String argument/called with any argument other than a
>> Function object/g
>
> What about function proxies?
>
> What about non-Function callables?

WebKit seems to distinguish between callable and non-callable.
Non-callables get coerced to strings, which then get compiled as
script source code, which is what we'd like to avoid.

Adam
Received on Wednesday, 30 March 2011 01:20:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 March 2011 01:20:31 GMT