- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 25 Oct 2022 16:55:15 +0200
- To: Soheil Khodayari <soheil.khodayari@cispa.de>
- Cc: Titouan Rigoudy <titouan@chromium.org>, public-webappsec@w3.org, "Pellegrino, Giancarlo" <pellegrino@cispa.de>
On Tue, Oct 25, 2022 at 2:15 PM Soheil Khodayari <soheil.khodayari@cispa.de> wrote: > In comparison, 16.7% of the webpages or 42% of the websites could be at risk because they use these clobberable built-in window properties in their JavaScript code, and attackers can potentially tamper with the execution by injecting a markup with colliding names. If attackers can inject somewhat arbitrary markup there's a variety of surfaces they could attack though, e.g., querySelector() calls. As such XSS alone does not seem like a sufficient reason to warrant this switch to me. I suppose it might help with reusability of scripts in that scripts you write cannot be impacted by certain markup constructs existing. (This is also argued in one of the issues referenced in OP, that it might help reduce subtle bugs.) If known at document-creation time, could it allow for certain JS engine optimizations? (Or would it have to be JS agent-wide for that?) Introducing switches like this is a somewhat non-trivial endeavor and as such I think this needs a more compelling story.
Received on Tuesday, 25 October 2022 14:55:49 UTC