- From: <sird@rckc.at>
- Date: Tue, 15 Feb 2011 08:18:56 +0100
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: public-web-security@w3.org
Received on Tuesday, 15 February 2011 07:19:49 UTC
Yeah.. I wish that JS Workers were completely isolated, and with no XHR, it would be a nice feature (maybe as an extra argument marking the code as untrusted). Anyway, what about a JS Worker triggered from a sandboxed iframe? Greetings! -- Eduardo On Mon, Feb 14, 2011 at 10:28 AM, gaz Heyes <gazheyes@gmail.com> wrote: > On 14 February 2011 08:49, sird@rckc.at <sird@rckc.at> wrote: > >> Right, from a worker you can nuke away XHR and importScript. It's fairly >> smaller than a normal window :) >> > > On Firefox yes but Chrome seems to retain XHR when deleting, bug? Then you > have __proto__, self etc > > >> It's not a whitelist, but given that you get a smaller surface, you are >> not in so much danger right? >> > > You are in no danger with a whitelist, this is my point but a browser can > always add a new Object that you did not protect >
Received on Tuesday, 15 February 2011 07:19:49 UTC