charles at isomorphic.com
Sat Jun 9 09:36:51 PDT 2012
On Fri, Jun 8, 2012 at 6:48 PM, Erik Arvidsson <erik.arvidsson at gmail.com> wrote:
> On Fri, Jun 8, 2012 at 4:10 PM, Charles Kendrick <charles at isomorphic.com> wrote:
>>> Once again, exposing the actual arguments, receiver and function
>>> object references is a security issue and completely out of scope for
>>> this. This is not related to cross domain access but related to object
>> Erik how do you reconcile this with the fact that this information can
>> already be obtained in most production browsers via stack walking?
> Stack walking is not available in strict functions.
Interesting, but it doesn't speak against programmatic access to the
If "use strict" or any other security feature means that
function.arguments are not accessible to a given script, then the same
constraint could be trivially enforced with programmatic access to the
The same could be applied to access to the receiver or values of local
variables. In fact, V8's CallSite API makes the receiver inaccessible
for a strict mode function (I just checked).
More information about the es-discuss