Re: defineProperty is a blacklist from sird@rckc.at on 2011-02-14 (public-web-security@w3.org from February 2011)

From: <sird@rckc.at>
Date: Mon, 14 Feb 2011 09:49:06 +0100
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <AANLkTik=XdR0s_HrANQ6VNNO81xObMb=26j7XeOYRhcS@mail.gmail.com>

Right, from a worker you can nuke away XHR and importScript. It's fairly
smaller than a normal window :)

It's not a whitelist, but given that you get a smaller surface, you are not
in so much danger right?

Greetz!

-- Eduardo



On Mon, Feb 14, 2011 at 8:44 AM, gaz Heyes <gazheyes@gmail.com> wrote:

> On 13 February 2011 21:55, sird@rckc.at <sird@rckc.at> wrote:
>
>> What about JS Workers?
>>
>
> Last time I checked webworkers they didn't seem to allow the removal of all
> properties from a worker, in addition it was possible to create requests
> that included cookies from the site.This is a perfect example of the need
> for a whitelist.
>
> <http://www.businessinfo.co.uk/labs/webworker/webworker.html>
>
>
>> I know they are async, but may work? What's the use case you are trying to
>> solve?
>>
>
> I simply want to freeze or disable properties of a object that are unknown
> and do not match a whitelist. Most useful in a sandbox situation.
>

Received on Monday, 14 February 2011 09:02:22 UTC