How to clean up __proto__ (was: Why we need to clean up __proto__)

David Bruant bruant.d at gmail.com
Fri Dec 30 15:34:47 PST 2011


Le 30/12/2011 17:07, Russell Leggett a écrit :
>
>
> On Fri, Dec 30, 2011 at 6:53 AM, David Bruant <bruant.d at gmail.com
> <mailto:bruant.d at gmail.com>> wrote:
>
>     Le 30/12/2011 02:28, John J Barton a écrit :
>>     On Thu, Dec 29, 2011 at 5:11 PM, David Bruant <bruant.d at gmail.com
>>     <mailto:bruant.d at gmail.com>> wrote:
>>
>>         Le 30/12/2011 01:00, Lasse Reichstein a écrit :
>>         > On Thu, Dec 29, 2011 at 8:41 PM, Mark S. Miller
>>         <erights at google.com <mailto:erights at google.com>> wrote:
>>         I've been thinking about this "run first" idea for some time.
>>         Since on a
>>         webpage, security seems to depend on your ability to run code
>>         first, it
>>         would be interesting if there was a way to ensure that some code
>>         (preferably defensive) is run before *any* other code. Though
>>         I find
>>         this interesting, I'm still not sure whether this would be a
>>         good or bad
>>         idea. I'm also clueless on how it would look like.
>>         Creative ideas welcome.
>>
>>
>>     The browser runs first: what can't it do that you want to support?
>     I was thinking of the case of XSS for instance where your code is
>     in competition with unexpected and malicious code. What I've said
>     before applies and even against an XSS attack, you can prevent
>     cookie theft as long as you run first.
>     I can't see a way for the browser to enforce that trusted code run
>     before untrusted code.
>
> I must be missing something here, but if you put your defensive script
> first in the head of the html, how can XSS code run first? Most XSS
> attacks are base on user data unescaped and put into the body of the
> page somewhere.
In some cases, the unescaped data is put in the <title> or in the <meta>
element as keywords or description, so before the body.

I think there is no unique solution. It's up to the web dev to know what
the dangers are, what the points that are dangerous and maybe write a
defensive script before that. Why not inlined if it's short enough.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111231/7731d24b/attachment-0001.html>


More information about the es-discuss mailing list