Problems with strict-mode caller poisoning
rossberg at google.com
Thu Nov 22 08:31:04 PST 2012
On 20 November 2012 17:26, Allen Wirfs-Brock <allen at wirfs-brock.com> wrote:
> Yes, property descriptor records can't act like accessors. They are just specification internal records that indicate that a set of values is being passed around. But we can censor the value that goes into the record. To me this seems like a sufficient solution for dealing with the security issue. It deviates from what was specified in ES5.1 but that is buggy and I don't think a change from throwing to returning null for the caller would create much havoc
+1. I just implemented this in V8, and we will see how it goes in the wild.
Interestingly, none of the 97 tests in test262 that are specifically
concerned with 220.127.116.11 fail after this change 8-}. It seems that they
are broken in at least two ways: allowing a falsey value for .caller,
and assuming that a global function would be non-strict even if the
global scope is already strict.
More information about the es-discuss