- From: <bugzilla@jessica.w3.org>
- Date: Wed, 07 Oct 2015 20:06:07 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=29183 Bug ID: 29183 Summary: Objects that implement an [Unforgeable] interface should have a non-configurable @@toPrimitive method Product: WebAppsWG Version: unspecified Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: WebIDL Assignee: cam@mcc.id.au Reporter: jorendorff@mozilla.com QA Contact: public-webapps-bugzilla@w3.org CC: mike@w3.org, public-script-coord@w3.org Target Milestone: --- There's a platform security invariant is that `location + ""` must not be spoofable, but ES6 adds a new way to spoof ToPrimitive(obj): it now looks for a method obj[@@toPrimitive]. http://www.ecma-international.org/ecma-262/6.0/index.html#sec-toprimitive So unless an innocuous @@toPrimitive method is defined as non-configurable and non-writable on the location object itself (not a prototype), `location + ""` can be spoofed by defining a custom @@toPrimitive method on it. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 7 October 2015 20:06:09 UTC