Mark S. Miller
erights at google.com
Sun Feb 26 08:10:10 PST 2012
On Sun, Feb 26, 2012 at 1:39 AM, David Bruant <bruant.d at gmail.com> wrote:
> Le 26/02/2012 01:23, Geoffrey Sneddon a écrit :
> > On 13/02/12 17:55, Allen Wirfs-Brock wrote:
> >> Let's try to get this back to concrete issues that I can incorporate
> >> into a specification.
> >> The current draft is at
> >> Gavin and Oliver seem to really want to use an accessor for
> >> Object.prototype.__proto__
> > On the whole this is my preference too, as it practically eliminates
> > special-casing for the __proto__ property, which on the whole I'm in
> > favour of.
> > I've basically implemented something close to what is attributed to
> > Dave Herman on the wiki in Carakan now, albeit without the context
> > check, though I agree it's a good idea. I wonder if it's
> > web-compatible to disallow cross-context prototype chains (both
> > through __proto__ and Object.create).
> What is asked to be disallowed is only changing the prototype with
> __proto__ in a cross-context manner.
> Creating cross-context chains with Object.create has not been discussed
> I think and should be fine...
> ....or not?
> Given an attacker from context A, a defender from context D (I'll use
> these letters to refer to the global object of each context). An
> attacker can create an object like
> var maliciousProto = Object.create(D.Object.prototype);
> // Add whatever own properties to maliciousProto
> someObjectInD.__proto__ = maliciousProto
If D has already deleted F.Object.prototype.__proto__, then your attack
fails at the above step.
> I was enthusiastic by Gavin Object.prototype ownership-based solution,
> but it seems that as long as an attacker has the possibility to create
> cross-context objects, an Object.prototype-based solution actually does
> not prevent anything.
> > The one thing I would prefer, however, would be that the setter is
> > optional (i.e., it is permissible to have __proto__ have just a getter
> > or have both a getter and a setter, but not just a setter).
> I think that it's unrealistic since the web does use the setter as well.
> If the setter was standardized as optional, all implementations would
> implement it anyway.
> es-discuss mailing list
> es-discuss at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss