- From: David Bruant <david.bruant@labri.fr>
- Date: Tue, 28 Jun 2011 23:57:55 +0200
- To: James Robinson <jamesr@google.com>
- CC: public-web-perf@w3.org, "Mark S. Miller" <erights@google.com>
- Message-ID: <4E0A4E63.9070902@labri.fr>
Le 28/06/2011 22:44, James Robinson a écrit : > On Mon, Jun 13, 2011 at 6:17 AM, David Bruant <david.bruant@labri.fr > <mailto:david.bruant@labri.fr>> wrote: > > Hi, > > setTimeout, setInterval both return an integer as an identifier. In my > opinion, this is a mistake. > If a milicous script comes up, and loops over an integer range, it can > cancel intervals and timeouts without having been granted the right to > do so. This is a security issue. > > > Hi David, > > I'm not sure I understand exactly what you mean here - script can only > cancel timers that it set. Could you expand a bit on what you mean by > "granted the right to do so"? If you set a timeout, it would be preferable for you to be the only person (by "person", I mean, "your own scripts") allowed to clear the timeout. Otherwise, it means that any other script inserted in the page (like advertisment or a malicious script) can cancel the timeout that you set up. In cases where you write some code that rely on the fact that if you setup a timeout it will be triggered, if some random script has the ability to cancel your timeouts, it can mess your internal logic up. If the returned value of setTimeout is forgeable (integer, string...), then anyone have the right to cancel your timeouts (by definition of "forgeable"). If it is an unforegeable opaque identifier (like an object as I showed in the gist in my original message), your script is the only one able to cancel a timeout... Unless, you decide to "hand" the identifier to another script (by passing it as an argument of a function defined in a script you haven't written, for instance). This is the case where I said that you "grant the right to another script to cancel your timeout", because you decided to "hand" this identifier. The untrusted script can decide to call clearTimeout(opaqueIdentifier), but you wrote the code handing the identifier. You granted the right so you are the only one to blame for the security flaw (unlike when untrusted code can loop through an integer range). > The reason for using integer identifiers is to remain close to > setTimeout/setInteval, but I think an opaque identifier would work > equally well. I'm not sure what benefit it would give, however. I hope I was clear in my explanations. Just tell me if i wasn't enough. David
Received on Tuesday, 28 June 2011 21:58:37 UTC