Re: defineProperty is a blacklist


I wish that JS Workers were completely isolated, and with no XHR, it would
be a nice feature (maybe as an extra argument marking the code as

Anyway, what about a JS Worker triggered from a sandboxed iframe?


-- Eduardo

On Mon, Feb 14, 2011 at 10:28 AM, gaz Heyes <> wrote:

> On 14 February 2011 08:49, <> wrote:
>> Right, from a worker you can nuke away XHR and importScript. It's fairly
>> smaller than a normal window :)
> On Firefox yes but Chrome seems to retain XHR when deleting, bug? Then you
> have __proto__, self etc
>> It's not a whitelist, but given that you get a smaller surface, you are
>> not in so much danger right?
> You are in no danger with a whitelist, this is my point but a browser can
> always add a new Object that you did not protect

Received on Tuesday, 15 February 2011 07:19:49 UTC