Re: Opt-in flag to disable DOM clobbering

On Tue, Oct 25, 2022 at 2:15 PM Soheil Khodayari
<> wrote:
> In comparison, 16.7% of the webpages or 42% of the websites could be at risk because they use these clobberable built-in window properties in their JavaScript code, and attackers can potentially tamper with the execution by injecting a markup with colliding names.

If attackers can inject somewhat arbitrary markup there's a variety of
surfaces they could attack though, e.g., querySelector() calls. As
such XSS alone does not seem like a sufficient reason to warrant this
switch to me. I suppose it might help with reusability of scripts in
that scripts you write cannot be impacted by certain markup constructs
existing. (This is also argued in one of the issues referenced in OP,
that it might help reduce subtle bugs.) If known at document-creation
time, could it allow for certain JS engine optimizations? (Or would it
have to be JS agent-wide for that?)

Introducing switches like this is a somewhat non-trivial endeavor and
as such I think this needs a more compelling story.

Received on Tuesday, 25 October 2022 14:55:49 UTC