My tests disagreed with this, and I figured out why. Add another console.log(Object.isFrozen(fobj)) after the mutation. That returns false. My test didn't check isFrozen after freeze but before mutation.
On Mon, Apr 15, 2013 at 10:45 AM, Kevin Reid <[email protected]> wrote: > The question was asked: how can we keep security-problems-for-us like > FIREFOX_15_FREEZE_PROBLEM from occurring again? I see a subsidiary question > in this: are they spec violations, or are we asking for things outside the > spec? > > In this case, there is an ECMAScript spec violation, as demonstrated by this > test case: > > <title>frame test page</title> > <body> > <script type="text/javascript"> > var frame = document.createElement('iframe'); > document.body.appendChild(frame); > > var fobj = frame.contentWindow.Function( > "var o = {" + > "f: function() { o.x = 1; }" + > "};" + > "return o;" > )(); > Object.freeze(fobj); > console.log(Object.isFrozen(fobj)); // true > console.log(fobj.x); // undefined > fobj.f(); > console.log(fobj.x); // 1 > </script> > > The object fobj violates ES5 invariants by being extended despite being > reported as non-extensible. Even though ES5 doesn't say anything about > cross-frame operations, this doesn't matter because the freeze, isFrozen, > and observation of mutation all occurred within one frame. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "Google Caja Discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
