W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2014

[Bug 25345] New: Set window.crypto and all properties of window.crypto writable to false

From: <bugzilla@jessica.w3.org>
Date: Tue, 15 Apr 2014 08:33:55 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25345-7213@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25345

            Bug ID: 25345
           Summary: Set window.crypto and all properties of window.crypto
                    writable to false
           Product: Web Cryptography
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: info@franz-antesberger.de
                CC: public-webcrypto@w3.org

I think, the crypto api is useless, if a cross site attack can overwrite the
functions.
e.g

window.crypto.getRandomValues = function (buf) {
  for (var index =0; index  < buf.length; index++) buf[index] = 4;
  return buf;
}

That is not the randomness we want.
It is no problem, when someone can add new properties to windows.crypto, but
existing properties may not be overwritten.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Tuesday, 15 April 2014 08:34:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC