W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2014

[Bug 25345] Set window.crypto and all properties of window.crypto writable to false

From: <bugzilla@jessica.w3.org>
Date: Tue, 15 Apr 2014 15:53:39 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25345-7213-lHrjiyrteU@http.www.w3.org/Bugs/Public/>

Boris Zbarsky <bzbarsky@mit.edu> changed:

           What    |Removed                     |Added
                 CC|                            |bzbarsky@mit.edu

--- Comment #1 from Boris Zbarsky <bzbarsky@mit.edu> ---
Franz, I suspect that if you have cross-site code injection like that you're
screwed even if window.crypto and window.crypto.getRandomValues() are marked

To make this concrete, can you cite some actual example code that uses
crypto.getRandomValues()?  I will bet it's vulnerable to this sort of attack
even if getRandomValues is guaranteed to be doing the right thing.

You are receiving this mail because:
You are on the CC list for the bug.
Received on Tuesday, 15 April 2014 15:53:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:02:42 UTC