On Aug 29, 2013, at 1:39 PM, Kevin Reid wrote: > On Thu, Aug 29, 2013 at 12:56 PM, Allen Wirfs-Brock <[email protected]> > wrote: > On Aug 29, 2013, at 10:51 AM, Kevin Reid wrote: >> This is a hazardous change for SES-style security. For example, I've just >> taken a quick look at our (Caja) codebase and found a place where >> Array.prototype.slice.call(foo) is used to obtain a “no funny business” >> array (i.e. doesn't have side effects when you read it) and another where >> it's used to obtain an array which must be in the caller's realm. These >> would be easy enough to replace with a more explicit operation, but I wanted >> to point out that this is not a harmless change. > > In the Array.prototype.slice.call(foo) use case what is foo? Is it known to > be an Array? Are you saying this is how you clone an Array? > > Sorry, both are of that form, if I was unclear. When we want to simply clone > an existing array, belonging to a secured realm, I think we generally use > slice as a method, and there is no security property there. > > Of the two cases I refer to, one is a function (the trademarking stamp()) > which takes a list of objects as a parameter and needs to ensure that > successive stages of processing operate on exactly the same set of objects > and do not trigger any side effects in the list's implementation. Here, realm > is irrelevant but the list's implementation must be relied on, so in practice > we want an Array from stamp()'s own realm. > > The other case is one where it is a cross-frame protocol and we specifically > want an object which belongs to 'our own' realm because its prototypes are > frozen and specially extended, whereas the calling realm's prototypes notably > are not frozen (it's outside of the shiny happy sandbox) and therefore > constitute a risk to least-authority programming which we want to stop at the > boundaries. (Note for MarkM: It's actually a little bit more complicated than > this, but the details are irrelevant to the principle.) >
for both cases, are you using Array.isArray to determine that you are operating upon an array? what would be the appropriate thing to happen (all things considered) in a world where subclasses of Array exist? Allen
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
