[Bug 29183] New: Objects that implement an [Unforgeable] interface should have a non-configurable @@toPrimitive method from bugzilla@jessica.w3.org on 2015-10-07 (public-script-coord@w3.org from October to December 2015)

From: <bugzilla@jessica.w3.org>
Date: Wed, 07 Oct 2015 20:06:07 +0000
To: public-script-coord@w3.org
Message-ID: <bug-29183-3890@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=29183

            Bug ID: 29183
           Summary: Objects that implement an [Unforgeable] interface
                    should have a non-configurable @@toPrimitive method
           Product: WebAppsWG
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: WebIDL
          Assignee: cam@mcc.id.au
          Reporter: jorendorff@mozilla.com
        QA Contact: public-webapps-bugzilla@w3.org
                CC: mike@w3.org, public-script-coord@w3.org
  Target Milestone: ---

There's a platform security invariant is that `location + ""` must not be
spoofable, but ES6 adds a new way to spoof ToPrimitive(obj): it now looks for a
method obj[@@toPrimitive].

http://www.ecma-international.org/ecma-262/6.0/index.html#sec-toprimitive

So unless an innocuous @@toPrimitive method is defined as non-configurable and
non-writable on the location object itself (not a prototype), `location + ""`
can be spoofed by defining a custom @@toPrimitive method on it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Wednesday, 7 October 2015 20:06:10 UTC