Le 26/02/2012 17:10, Mark S. Miller a écrit : > On Sun, Feb 26, 2012 at 1:39 AM, David Bruant <bruan...@gmail.com > <mailto:bruan...@gmail.com>> wrote: > > > Creating cross-context chains with Object.create has not been > discussed > I think and should be fine... > > ....or not? > Given an attacker from context A, a defender from context D (I'll use > these letters to refer to the global object of each context). An > attacker can create an object like > ----- > var maliciousProto = Object.create(D.Object.prototype); > // Add whatever own properties to maliciousProto > > someObjectInD.__proto__ = maliciousProto > > > If D has already deleted F.Object.prototype.__proto__, then your > attack fails at the above step. True. I guess it's the reason why you said that __proto__ being an accessor or data property does not make that big of a difference from a security standpoint.
David
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss