Re: defineProperty is a blacklist from gaz Heyes on 2011-02-16 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 16 Feb 2011 20:53:48 +0000
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org
Message-ID: <AANLkTinMhRSbu3zXaMPcD120XzqAG1QmKfxAvBHw+KvM@mail.gmail.com>

On 16 February 2011 19:04, Daniel Veditz <dveditz@mozilla.com> wrote:

> Is Object.preventExtensions what you want?
>
>
> https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Object/preventExtensions
>
> Take a look at Object.seal and Object.freeze as well.
>

Hey Daniel, nope those prevent a object being modified or extended but not
to prevent access to a property you don't know about. For example if a
browser added a property to window called "x" which did a redirection and
was not exposed to a for..in loop then the only way to prevent this would be
to know about "x" and overwrite it. A classic blacklist, whitelists are
better.

Received on Wednesday, 16 February 2011 20:54:15 UTC