Realm, schmealm!

Boris Zbarsky bzbarsky at MIT.EDU
Thu Aug 1 10:58:48 PDT 2013


On 8/1/13 1:50 PM, Brendan Eich wrote:
> How about the non-enumerable thing? That doesn't really protect anything
> in ES5 era, and as Allen says it doesn't protect against guessed-name
> probing.

Oh, and here...  I agree that it doesn't seem to protect against 
getOwnPropertyNames.  But guessed-name probing is protected against by 
the fact that [[GetOwnProperty]] should fail for cross-origin access 
except as whitelisted.  I think the spec currently talks about gets or 
sets, but it should really be specified in terms of the MOP, indeed.

-Boris


More information about the es-discuss mailing list