bruant.d at gmail.com
Sun Feb 26 08:47:27 PST 2012
Le 26/02/2012 17:10, Mark S. Miller a écrit :
> On Sun, Feb 26, 2012 at 1:39 AM, David Bruant <bruant.d at gmail.com
> <mailto:bruant.d at gmail.com>> wrote:
> Creating cross-context chains with Object.create has not been
> I think and should be fine...
> ....or not?
> Given an attacker from context A, a defender from context D (I'll use
> these letters to refer to the global object of each context). An
> attacker can create an object like
> var maliciousProto = Object.create(D.Object.prototype);
> // Add whatever own properties to maliciousProto
> someObjectInD.__proto__ = maliciousProto
> If D has already deleted F.Object.prototype.__proto__, then your
> attack fails at the above step.
I guess it's the reason why you said that __proto__ being an accessor or
data property does not make that big of a difference from a security
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss