How to clean up __proto__ (was: Why we need to clean up __proto__)
bruant.d at gmail.com
Fri Dec 30 15:34:47 PST 2011
Le 30/12/2011 17:07, Russell Leggett a écrit :
> On Fri, Dec 30, 2011 at 6:53 AM, David Bruant <bruant.d at gmail.com
> <mailto:bruant.d at gmail.com>> wrote:
> Le 30/12/2011 02:28, John J Barton a écrit :
>> On Thu, Dec 29, 2011 at 5:11 PM, David Bruant <bruant.d at gmail.com
>> <mailto:bruant.d at gmail.com>> wrote:
>> Le 30/12/2011 01:00, Lasse Reichstein a écrit :
>> > On Thu, Dec 29, 2011 at 8:41 PM, Mark S. Miller
>> <erights at google.com <mailto:erights at google.com>> wrote:
>> I've been thinking about this "run first" idea for some time.
>> Since on a
>> webpage, security seems to depend on your ability to run code
>> first, it
>> would be interesting if there was a way to ensure that some code
>> (preferably defensive) is run before *any* other code. Though
>> I find
>> this interesting, I'm still not sure whether this would be a
>> good or bad
>> idea. I'm also clueless on how it would look like.
>> Creative ideas welcome.
>> The browser runs first: what can't it do that you want to support?
> I was thinking of the case of XSS for instance where your code is
> in competition with unexpected and malicious code. What I've said
> before applies and even against an XSS attack, you can prevent
> cookie theft as long as you run first.
> I can't see a way for the browser to enforce that trusted code run
> before untrusted code.
> I must be missing something here, but if you put your defensive script
> first in the head of the html, how can XSS code run first? Most XSS
> attacks are base on user data unescaped and put into the body of the
> page somewhere.
In some cases, the unescaped data is put in the <title> or in the <meta>
element as keywords or description, so before the body.
I think there is no unique solution. It's up to the web dev to know what
the dangers are, what the points that are dangerous and maybe write a
defensive script before that. Why not inlined if it's short enough.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss