Array.prototype.slice web-compat issue?

Kevin Reid kpreid at google.com
Thu Aug 29 10:51:38 PDT 2013


On Wed, Aug 28, 2013 at 10:19 AM, Allen Wirfs-Brock
<allen at wirfs-brock.com>wrote:

> The problem is that in ES<6 slice always returned a new Array instance
> using the Array of the realm associated with the invoked slice function.
>  In ES6 slice returns an object that is determine based upon the actual
> this value passed to slice.  In the default case like above, this will be
> the a new Array instance using the Array of the realm associated with the
> this value.
>

!

This is a hazardous change for SES-style security. For example, I've just
taken a quick look at our (Caja) codebase and found a place where
Array.prototype.slice.call(foo) is used to obtain a “no funny business”
array (i.e. doesn't have side effects when you read it) and another where
it's used to obtain an array which must be in the caller's realm. These
would be easy enough to replace with a more explicit operation, but I
wanted to point out that this is not a harmless change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130829/3ac1c94d/attachment.html>


More information about the es-discuss mailing list