[Bug 25345] New: Set window.crypto and all properties of window.crypto writable to false from bugzilla@jessica.w3.org on 2014-04-15 (public-webcrypto@w3.org from April 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 15 Apr 2014 08:33:55 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25345-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25345

            Bug ID: 25345
           Summary: Set window.crypto and all properties of window.crypto
                    writable to false
           Product: Web Cryptography
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: info@franz-antesberger.de
                CC: public-webcrypto@w3.org

I think, the crypto api is useless, if a cross site attack can overwrite the
functions.
e.g

window.crypto.getRandomValues = function (buf) {
  for (var index =0; index  < buf.length; index++) buf[index] = 4;
  return buf;
}

That is not the randomness we want.
It is no problem, when someone can add new properties to windows.crypto, but
existing properties may not be overwritten.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Tuesday, 15 April 2014 08:34:01 UTC