Experimental implementation of Object.observe & JS Utility library now available

Rafael Weinstein rafaelw at chromium.org
Fri Aug 17 05:47:52 PDT 2012


Hi gaz,

Thanks so much for your time.

Much care has been taking with this proposal to ensure that it is
neutral with respect to the existing JS Object/Security model.

As I understand it, the core vulnerability with JSON hacking is the
ability to define getters on the Object prototype. Object.observe()
does not affect that ability.

In order to be notified of changes to an object, you need a reference
to it first. E.g.

Object.observe(Object.prototype, function doBadThings() { .. });

But if you were able to do this, you could have just as easily gone
ahead and done bad things directly to the Object.prototype.
Object.observe() doesn't increase your access.

If there is something I'm missing, perhaps you can provide a code
example of how the attack would work.

On Fri, Aug 17, 2012 at 2:50 AM, gaz Heyes <gazheyes at gmail.com> wrote:
> Hi Rafael
>
> Would this proposal work on the Object prototype? If so then it could be
> used for JSON hijacking. I'd recommend it didn't.
>
> Cheers
>
> Gareth


More information about the es-discuss mailing list