- From: <bugzilla@jessica.w3.org>
- Date: Thu, 03 Mar 2016 18:03:44 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=29437
--- Comment #5 from Boris Zbarsky <bzbarsky@mit.edu> ---
I was wrong: there is no way to create a carefully written reviver function
that is black-box indistinguishable from a separate global. In fact, even the
null prototypes approach is black-box distinguishable from a separate global
(more on this below). Also, the null prototypes approach can't handle a
JsonWebKey that has an "oth" or "key_ops" property, as far as I can tell: a
null proto on the array would mean that conversion to sequence would fail
because it would not be iterable, because the Symbol.iterator lives on
Array.prototype. And you can't even put it on the instance because the array
iterator prototype would still be under control of whoever controls the
global...
Anyway, for the basic black-box distinguishability bits, consider this JSON:
{ "crv": {} }
If we create objects as normal and then init a JsonWebKey with this object, we
will get "[object Object]" for crv. If we create objects with null prototypes,
we will get an exception instead. This is mostly a theoretical problem, I
think, though I did not examine all the string members of JsonWebKey. The
array problem is a bigger deal.
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Thursday, 3 March 2016 18:03:46 UTC