Re: defineProperty is a blacklist from gaz Heyes on 2011-02-14 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 14 Feb 2011 09:28:01 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
Message-ID: <AANLkTik2nt-UEMmxHRU2y=ATCs7XW2T=n76-rV7ocY1R@mail.gmail.com>

On 14 February 2011 08:49, sird@rckc.at <sird@rckc.at> wrote:

> Right, from a worker you can nuke away XHR and importScript. It's fairly
> smaller than a normal window :)
>

On Firefox yes but Chrome seems to retain XHR when deleting, bug? Then you
have __proto__, self etc


> It's not a whitelist, but given that you get a smaller surface, you are not
> in so much danger right?
>

You are in no danger with a whitelist, this is my point but a browser can
always add a new Object that you did not protect

Received on Monday, 14 February 2011 09:28:34 UTC