On 02/24/2016 01:30 PM, Mark S. Miller wrote:
[2] This solves only one of the cross-realm issue with stacks. It does nothing to address worries about cross-realm stacks.
We do have code in FF that handles cross-realm stacks, or at least a close moral equivalent to them. The stacks are stored internally as objects, and each frame records where it comes from, so a user will only see frames that it has privileges for. Obviously, once you convert to a string, you're past the point of control.
(Or at least, that's my understanding of what is going on. I'm not sure if that stuff is used for Error.stack yet.)
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
